Critical vulnerabilities risking private user data flagged in OkCupid
In a major shocker, security researchers have flagged critical vulnerabilities in OkCupid, a renowned online dating platform used by 50 million people around the world. The issues, as the experts explained, were detected in the apps and website of the service and opened a way for attackers to steal the private data of its users. Here's all about it.
During a recent investigation, the team from security firm Check Point Research looked into OkCupid and found a series of flaws in its apps and website. The bugs, they noted, could have been exploited by any sophisticated hacker to steal account data, from email to authentication tokens, of an OkCupid user as well as their profile data such as date preferences and personal messages.
In addition to dating preferences and messages, the flaws also opened a way to glean other intimate information related to the victim, including their age, location, religion, sexual orientation as well as professional background and the kind of lifestyle they prefer.
Check Point even shared a video that demonstrated how the vulnerabilities in question could be exploited using a specially-crafted link. In the clip, the target just clicked on the link and all their data, including messages, went to the command-and-control server on the attacker's end. Theoretically, this link could be shared through a fake account or posted publicly to trick people into opening it.
As the data at risk also included authentication tokens and user IDs, the researchers claimed that hackers could have used it for partial account takeovers and execute certain actions from the victims' accounts like sending messages.
Soon after the issues came into the light, the team at Check Point got in touch with OkCupid and informed them about the problem and what is at stake. In a matter of 48 hours, the dating platform deployed a fix to close all the bugs for good. It also officially confirmed that none of its users were impacted by the flaws disclosed.
"Not a single user was impacted by the potential vulnerability on OkCupid, and we were able to fix it within 48 hours. We are grateful to partners like Checkpoint who with OkCupid, put the safety and privacy of our users first."
While the issues were promptly fixed by OkCupid, the case raises major concerns around the safety of data that millions of people around the world entrust to leading dating platforms. These services have some really personal and intimate details, things which, if exposed or stolen, could easily be used for major social engineering-based cyber-attacks, even cases of blackmailing and extortion.
