Only days after Infosecurity reported that OkCupid users said their accounts had been hacked, Checkmarx disclosed that the OkCupid Android App actually posed risks because of security failures in MagicLinks.
It’s well known that malicious actors love to exploit a good holiday, which puts users at risk on Valentine’s Day. To identify any potential vulnerabilities, researchers dove into the popular Android dating app only to discover that attackers could easily gain access to user information, including personal contact information such as email aliases, names, genders, dates of birth and locations.
In addition, researchers found that they could gain access to a user’s dating preferences, such as whether they’re looking to hook up, find new friends, and date short or long term and whether they’re open to non-monogamy.
According to researchers, most of the URLs that pass through the app are not vulnerable because OkCupid uses WebView, yet some URLs are designated as MagicLink, which Checkmark describes as opening “inside the main OkCupid WebView, which means that the user has no way of knowing whether its content is legitimate or not. For every MagicLink, what is shown on the screen is just part of the OkCupid application as far as the user knows.”
However, in the words of Pedro Umbelino, the researcher who was working on this research, “A MagicLink can be, among others, simply a URL that contains the string /l/. It’s that magic. Essentially, any link that contains /l/ will pass as a MagicLink. It’s hardly a problem for even the most inexperienced hacker to create a URL containing /l/.”
Using that string, an attacker could then create a malicious phishing page and share it with unsuspecting users in hopes that they enter their login credentials. Because users generally wouldn't be concerned by a page that opens inside the app, the average user would not suspect the link is actually malicious.
“By sending a crafted link to a malicious page, we managed to change the app’s interaction URL base from https://api.okcupid.com to our own controlled HTTP page. By changing the API endpoint to an attacker-controlled address, the attacker now permanently controls the flow of information between the victim and the API server,” researchers wrote.
In a statement shared with Infosecurity, an OkCupid spokesperson wrote, “A few months ago, Checkmarx alerted us to a potential security vulnerability in the android app. We quickly resolved the issue and have no reason to believe this impacted any users, on any operating system. Happy Valentines Day.”