The researchers of Check Point Research, the Threat Intelligence area of Check Point® Software Technologies Ltd. discovered and helped resolve several critical vulnerabilities on the Okcupid website and mobile app. In the event that a cyber criminal attempts to exploit these security breaches, he could access and steal private and confidential information from the users of this service, as well as send messages from his profile without the person knowing it.
Okcupid, started in 2004, and is one of the leading free online services for relationships worldwide with over 50 million users in 110 countries. In 2019, this application produced more than 91 million user connections, and there were more than 50,000 meetings a week. During the COVID-19 crisis, this service experienced an increase of about 20% in the total of talks. The amount of personal information and details that users make available at the time of creating their profiles converts applications such as Okcupid into a desirable target for cyber criminals, or for attacks directed directly at users or to obtain information that will be sold retrospectively to third parties.
Check Point investigators found vulnerabilities on the Okcupid app and website that allow a cyber criminal to have full access to a user’s profile, private messages, sexual orientation, address and the responses to the survey that the application requires to perform at the time of opening a profile. Security holes also allowed the possibility to manipulate user profile data and send new messages to other contacts within the application, using the identity of the real account owner to perform fraudulent activities.
How does this vulnerability work?
Investigators detail the three steps of the attack method used by cybercriminals seeking to exploit vulnerability:
- Generate a link with a malicious application that triggers the attack
- Send the link to the victim or post it in an open forum for users to click
- Once the link redirects to a web page, the malicious code is executed, which allows access to the victim’s account
Oded Vanunu, Head of Products Vulnerability Research of Check Point clarifies that “the analysis we made of Okcupid, one of the most popular online dating platforms, focused on the doubt we had about the levels of security of this type of application. We have demonstrated that a cyber criminal could manipulate confidential information, photographs and messages from users, That is why all developers of dating applications and their users should stop and reflect on the security guarantees offered to their information and private photographs that are placed and shared through this type of applications. Fortunately, Okcupid acted immediately to this our discovery and implemented the recommendations, solving the vulnerabilities of your app and website”.
The Check Point researchers shared their findings with Okcupid officials, who acknowledged the security holes and resolved them so that users did not have to take any extra action. They also shared the following testimony: “Check Point Research informed our Okcupid developers about the vulnerabilities found, as well as how to resolve this failure and ensure that users could continue to use the application in a secure manner. No user was affected by this vulnerability, as we were able to repair in 48 hours. We are very grateful to partners like Check Point, who help us keep users’ security and privacy one of our priorities.”
