The vulnerabilities worked like this: a hacker sent a message with a malicious link whether from the app or in any other way such as a text message, a post in the forum; Clicking on the link entered the attacker into the victim’s personal account. Within the account, the attacker could see and steal the sensitive information stored in the profile, including full private messages and correspondence, identifying information, sexual preferences, movies and photos. Also, upon entering the personal account the attacker could manipulate the existing content in the victim’s account, including changing account information, changing preferences and sending private messages on behalf of the victim.
This is a very serious type of weakness, in addition the company admitted that it was in its computing infrastructure, i.e. in the computers used by it to run the service. Check Point researchers identified the weaknesses and closed them to OkCupid and the bugs were fixed directly on the company’s servers. Users are not required to make any changes to the app or service settings.
The company also said: “Users can use the app without fear. No user has been affected by these vulnerabilities.” OkCupid is considered one of the most popular dating apps in the world with more than 50 million users in 110 countries, including Israel. It was the first dating app on mobile devices. The app is well known in the public, especially among young people aged 24-35 who are its main target audience. During the Corona period the company reported a 20% increase in app usage.
Oded Vanunu, Head of Product Weakness at Check Point, said: “Dating apps contain a lot of important personal information and therefore their level of security is critical for users. We have proven that one of the most popular apps in the world has serious vulnerabilities. The materials on these platforms are sensitive, so hopefully That the level of security of such dating apps is sufficient. ”
And we will also add that many dating apps often tend to contain loopholes and weaknesses. This is not the first time such one has been revealed in a dating app, so for example last January OkCupid, Grinder and Tinder were accused of passing on personal information of users to a third party without notifying them.
Moreover, in February last year, it became clear that many user accounts had been hacked in the service and these found themselves locked out. It is not clear if the hackers used the same vulnerability that was exposed today or if it was another loophole. Our recommendation is to run as much as possible a two-step verification service that allows hardening access to the account. If not, then consider switching to a service that runs one or just avoid sharing as much personal information as possible on the app.