OKCupid security flaws could have given hackers access to user accounts

Joanna Estrada

August 1, 2020

While testing the mobile app, the researchers' team was also able to find the OkCupid primary domain vulnerable to cross-site scripting (XSS) attacks. This also means that online dating platforms became another rich field for cybercriminals, so it is quite concerning when security researchers reported significant vulnerabilities found on the OkCupid app that caters to more than 50 million users. "The problem lies in several vulnerabilities in the official 'OkCupid" app, which isn't following the best practices for securing people's private data.

Researchers at cybersecurity firm Check Point discovered a range of unsafe flaws in the website and mobile app of the online dating service, which is used by more than 50 million people globally. For the uninitiated, the reverse engineering process is used to assess if the system lacks any major security flaws or vulnerabilities.

In addition to dating preferences and messages, the flaws also opened a way to glean other intimate information related to the victim, including their age, location, religion, sexual orientation as well as professional background and the kind of lifestyle they prefer.

Taking advantage of the security flaws CheckPoint Research discovered, a hacker could have posed as a user and sent a malicious link to victims or public forums.

CheckPoint disclosed its findings to OKCupid, and developers have fixed the flaws within 48 hours. If users clicked the link, the destructive code would provide the hackers access to and control of their victims' accounts. "How easily can someone I don't know access my most private photos, messages and details?"

However, these detailed personal profiles are also "highly prized" by hackers, Check Point researchers said, adding that, "they're the "gold standard" of information either for use in targeted attacks, or for selling on to other hacking groups, as they enable attack attempts to be highly convincing to unsuspecting targets". Bumble asks users to confirm their identities with selfies. Earlier this year, a study accused Grindr, OKCupid and Tinder of sharing sensitive data.

"Every maker and user of a dating app should pause for a moment to reflect on what more can be done around security, especially as we enter what could be an imminent cyber pandemic", said Check Point researcher Oded Vanunu. Specifically, OkCupid was accused of sending data about drug use, political views, and ethnicity to Braze. "We're grateful to partners like Check Point who with OkCupid, put the safety and privacy of our users first".