OkCupid vulnerabilities would have ‘allowed attackers to’ steal private data; Developer says 50 million accounts not compromised

이선영 기자 | 기사입력 2020/07/31 [10:17]

OkCupid vulnerabilities would have ‘allowed attackers to’ steal private data; Developer says 50 million accounts not compromised

이선영 기자 | 입력 : 2020/07/31 [10:17]

▲ From a promo video of OkCupid India | Photo credit: OkCupid India / YouTube screenshot


With stay-at-home recommendations still in place in many parts of the world, the demand for dating apps has likely spiked. This also means that online dating platforms became another rich field for cybercriminals, so it is quite concerning when security researchers reported significant vulnerabilities found on the OkCupid app that caters to more than 50 million users.


OkCupid security flaws discovered by researchers


Check Point Research spotted some vulnerabilities on the OkCupid app that may have “allowed attackers to” control an account to some degree. The security issues could have led to the stealing of personal information, private data, and authentication tokens.


The researchers reverse-engineered OkCupid v.40.3.1 on an Android 6.0.1 device and found that it has a deep link function allowing a hacker to inject malicious links to execute an attack. Check Point also discovered that the OkCupid main domain could have been compromised using reflected cross-site scripting (XSS), an attack that hackers utilize to access a user’s cookies by injecting malicious scripts on a vulnerable website.


They were then able to prove that the security flaws would have let hackers steal profile data that users provide upon signing up on OkCupid. The vulnerability also made it possible to steal authentication tokens, send messages on behalf of the users, and collect other sensitive data such as email addresses for exfiltration. However, Check Point confirmed a complete account takeover was not possible because the cookies still had some protection.


OkCupid says no account was compromised, vulnerabilities fixed


Like any decent security research firm, Check Point informed OkCupid of the flaws of its app and domain before publishing their study. At the time of publication, Check Point noted that OkCupid has already “responsibly deployed” a fix on the issues they identified. The online dating platform assured the researchers, “Not a single user was impacted by the potential vulnerability on OkCupid, and we were able to fix it within 48 hours.”


OkCupid users, on the other hand, should also be aware of the basic methods to protect themselves online. It is always advised to use strong passwords and to not give away too much personal information on a dating app. It is also best to always have the latest version of any app to ensure they carry the latest security updates as well.

  • 도배방지 이미지


뉴스레터 구독하기

세상을 바꾸고 있는 블록체인과 IT 관련 이야기를 쉽고 재미있게 만나보세요.

개인정보 수집 및 이용

뉴스레터 발송을 위한 최소한의 개인정보를 수집하고 이용합니다. 수집된 정보는 발송 외 다른 목적으로 이용되지 않으며, 서비스가 종료되거나 구독을 해지할 경우 즉시 파기됩니다.