Up to this aspect, we’re able to launch the OkCupid mobile application utilizing a deep website link, containing a harmful JavaScript rule within the area parameter. The after screenshot shows the ultimate XSS payload which loads jQuery and then lots JavaScript rule through the attacker’s server: (please be aware the top of area provides the XSS payload in addition to base section is similar payload encoded with URL encoding):

The after screenshot shows an HTTP GET demand containing the last XSS payload (section parameter):

The host replicates the payload delivered earlier in the day into the part parameter additionally the injected JavaScript code is performed into the context for the WebView.

A script file from the attacker’s server as mentioned before, the final XSS payload loads. The loaded JavaScript code will be properly used for exfiltration and account contains 3 functions:

1. steal_token – Steals users’ verification token, oauthAccessToken, and also the users’ id, userid. Users’ sensitive information (PII), such as for instance email, is exfiltrated too.
2. steal_data – Steals users’ profile and data that are private choices, users’ characteristics ( ag e.g. responses filled during registration), and more.
3. Send_data_to_attacker – send the data gathered in functions 1 and 2 to your attacker’s host.

steal_token function:

The big event produces A api call to the host. Users cookies that are provided for the host because the XSS payload is performed into the context regarding the application’s WebView.

The host reacts with a vast json containing the users’ id additionally the verification token also:

Steal information function:

An HTTP is created by the function request endpoint.

In line with the information exfiltrated within the steal_token function, the demand has been delivered using the verification token while the user’s id.

The host reacts with the information about the victim’s profile, including e-mail, intimate orientation, height, family members status, etc.

Forward information to attacker function:

The big event produces a POST request to your attacker’s host containing all the details retrieved in the past function phone calls (steal_token and steal_data functions).

The after screenshot shows an HTTP POST demand provided for the attacker’s host. The demand human body contains all the victim’s delicate information:

Performing actions with respect to the target can be feasible as a result of exfiltration associated with the victim’s verification token as well as the users’ id. These details can be used when you look at the harmful JavaScript code (in the same way used in the steal_data function).

An assailant can perform actions such as forward messages and alter profile data as a result of information exfiltrated within the steal_token function:

1. Authentication token, oauthAccessToken, is employed within the authorization header (bearer value).
2. User id, userId, is added as needed.

Note: An attacker cannot perform complete account takeover because the snacks are protected with HTTPOnly.

the information and knowledge exfiltrated into the function that is steal_token

1. Authentication token, oauthAccessToken, can be used within the authorization header (bearer value).
2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform account that is full considering that the snacks are protected with HTTPOnly.

Online System Vulnerabilities Mis-configured Cross-Origin Site Sharing Policy Contributes To Sensitive Information Visibility

In the course of the study, we have discovered that the CORS policy for the API host api.OkCupid.com just isn’t configured correctly and any beginning can deliver needs into the host and read its responses that are. The request that is following a demand sent the API host through the beginning

The host will not validate the origin properly and reacts because of the required information. Furthermore, the host reaction contains Access-Control-Allow-Origin: and Access-Control-Allow-Credentials: real headers:

Only at that point on, we discovered that individuals can deliver requests to your API host from our domain without having to be obstructed because of the CORS policy.

Once a target is authenticated on OkCupid browsing and application towards the attacker’s internet application, an HTTP GET demand is delivered to containing the victim’s snacks. The server’s reaction contains A json that is vast containing the victim’s authentication token plus the victim’s user_id.

We’re able to find more helpful information in the bootstrap API endpoint – sensitive and painful API endpoints within the API host:

The screenshot that is following delicate PII data exfiltration from the /profile/ API endpoint, with the victim’s user_id plus the access_token:

The after screenshot shows exfiltration associated with victim’s communications through the /1/messages/ API endpoint, making use of the victim’s user_id as well as the access_token:

Summary

The entire world of online-dating apps has continued to develop quickly across the years, and matured to where it is at today aided by the change up to a electronic globe, specially in the past 6 months – considering that the outbreak of Coronavirus around the world. The “new normal” habits such as for example as “social distancing” have actually forced the dating globe to enticount count on electronic tools for help.

The study offered right right right here shows the potential risks connected with among the longest-established and a lot of apps that are popular its sector. The serious importance of privacy and information protection becomes a lot more important whenever a great deal personal and intimate information being stored, handled and analyzed in a software. The application and platform is made to create individuals together, but needless to say where individuals get, crooks will observe, hunting for effortless pickings.