As much as this aspect, we’re able to launch the OkCupid mobile application utilizing a deep website website link, containing a harmful JavaScript rule into the area parameter. The screenshot that is following the last XSS payload which loads jQuery and then lots JavaScript rule through the attacker’s host: (please be aware top of the area offers the XSS payload plus the base section is the identical payload encoded with URL encoding):

The screenshot that is following an HTTP GET demand containing the last XSS payload (part parameter):

The host replicates the payload delivered earlier into the day in the part parameter therefore the injected JavaScript code is performed within the context associated with the WebView.

As previously mentioned before, the last XSS payload lots a script file through the attacker’s host. The loaded JavaScript code will be utilized for exfiltration and account contains 3 functions:

  1. steal_token – Steals users’ verification token, oauthAccessToken, additionally the users’ id, userid. Users’ sensitive information (PII), such as for example current email address, is exfiltrated aswell.
  2. steal_data – Steals users’ profile and data that are private choices, users’ characteristics ( ag e.g. responses filled during registration), and much more.
  3. Send_data_to_attacker – send the data collected in functions 1 and 2 to your attacker’s host.

steal_token function:

The big event produces A api latinamericacupid call to the host. Users cookies that are provided for the host because the XSS payload is performed into the context regarding the application’s WebView.

The host reacts with A json that is vast the users’ id in addition to verification token too:

Steal data function:

The big event produces an HTTP request endpoint.

On the basis of the information exfiltrated within the function that is steal_token the request has been sent because of the verification token additionally the user’s id.

The host reacts with the information about the victim’s profile, including email, intimate orientation, height, household status, etc.

Forward information to attacker function:

The event produces a POST request to your attacker’s host containing all the details retrieved in the past function telephone calls (steal_token and steal_data functions).

The screenshot that is following an HTTP POST demand provided for the attacker’s server. The demand human body contains all the victim’s information that is sensitive

Performing actions with respect to the target can also be possible as a result of exfiltration associated with victim’s verification token plus the users’ id. These records can be used within the harmful JavaScript rule (in the same way used in the steal_data function).

An assailant can perform actions such as forward messages and alter profile data as a result of information exfiltrated within the steal_token function:

  1. Authentication token, oauthAccessToken, can be used into the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform account that is full because the snacks are protected with HTTPOnly.

the data exfiltrated into the function that is steal_token

  1. Authentication token, oauthAccessToken, can be used within the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform account that is full considering that the snacks are protected with HTTPOnly.

Internet Platform Vulnerabilities Mis-configured Cross-Origin Site Sharing Policy Results In Fragile Information Publicity

In the course of the study, we now have unearthed that the CORS policy of this API host just isn’t configured correctly and any beginning can deliver needs towards the host and read its responses that are. The request that is following a demand delivered the API host through the beginning

The host doesn’t correctly validate the foundation and reacts aided by the required information. More over, the host reaction contains Access-Control-Allow-Origin: and Access-Control-Allow-Credentials: real headers:

As of this true point on, we understood that individuals can deliver demands to your API host from our domain without having to be obstructed because of the CORS policy.

The moment a target is authenticated on OkCupid application and browsing to your attacker’s internet application, an HTTP GET demand is provided for containing the victim’s snacks. The server’s reaction includes a vast json, containing the victim’s verification token while the victim’s user_id.

We’re able to find much more of good use information in the bootstrap API endpoint – sensitive and painful API endpoints within the API host:

The screenshot that is following painful and sensitive PII data exfiltration from the /profile/ API endpoint, utilising the victim’s user_id plus the access_token:

The screenshot that is following exfiltration associated with the victim’s communications through the /1/messages/ API endpoint, making use of the victim’s user_id while the access_token:


The field of online-dating apps is rolling out quickly across the years, and matured to where it is at today aided by the change to a world that is digital particularly in the past 6 months – considering that the outbreak of Coronavirus around the world. The “new normal” habits such as for example as “social distancing” have actually pressed the dating globe to enticount count on electronic tools for help.

The study delivered right here shows the potential risks related to one of several longest-established and a lot of popular apps in its sector. The need that is dire privacy and information safety becomes a lot more essential whenever plenty personal and intimate information being stored, handled and analyzed within an application. The platform and app was made to create individuals together, but needless to say where individuals get, crooks will observe, to locate effortless pickings.