Critical vulnerabilities risking private user data flagged in OkCupid
What's the story
In a major shocker, security researchers have flagged critical vulnerabilities in OkCupid, a renowned online dating platform used by 50 million people around the world. The issues, as the experts explained, were detected in the apps and website of the service and opened a way for attackers to steal the private data of its users. Here's all about it.
Issue
Flaws posing threat to personal messages, dating preferences
During a recent investigation, the team from security firm Check Point Research looked into OkCupid and found a series of flaws in its apps and website. The bugs, they noted, could have been exploited by any sophisticated hacker to steal account data, from email to authentication tokens, of an OkCupid user as well as their profile data such as date preferences and personal messages.
Information
Other profile information also risked
In addition to dating preferences and messages, the flaws also opened a way to glean other intimate information related to the victim, including their age, location, religion, sexual orientation as well as professional background and the kind of lifestyle they prefer.
Demo
The team demonstrated the hack
Check Point even shared a video that demonstrated how the vulnerabilities in question could be exploited using a specially-crafted link. In the clip, the target just clicked on the link and all their data, including messages, went to the command-and-control server on the attacker's end. Theoretically, this link could be shared through a fake account or posted publicly to trick people into opening it.
Information
Partial account takeover was also possible
As the data at risk also included authentication tokens and user IDs, the researchers claimed that hackers could have used it for partial account takeovers and execute certain actions from the victims' accounts like sending messages.
Fix
OkCupid fixed the bugs soon after being informed
Soon after the issues came into the light, the team at Check Point got in touch with OkCupid and informed them about the problem and what is at stake. In a matter of 48 hours, the dating platform deployed a fix to close all the bugs for good. It also officially confirmed that none of its users were impacted by the flaws disclosed.
Quote
Here's what OkCupid said on the matter
"Not a single user was impacted by the potential vulnerability on OkCupid, and we were able to fix it within 48 hours. We are grateful to partners like Checkpoint who with OkCupid, put the safety and privacy of our users first."
Questions
Still, this raises major questions over safety of dating apps
While the issues were promptly fixed by OkCupid, the case raises major concerns around the safety of data that millions of people around the world entrust to leading dating platforms. These services have some really personal and intimate details, things which, if exposed or stolen, could easily be used for major social engineering-based cyber-attacks, even cases of blackmailing and extortion.