sb-nz logo
Story image

OkCupid website and app found to have significant security flaws

30 Jul 2020

Online dating service OkCupid has come under scrutiny after Check Point Research discovered several security flaws in both the company’s website and app.

Check Point revealed that the vulnerabilities, if exploited, would have allowed a hacker to access and steal the private data of OkCupid users, as well as potentially send messages from users’ accounts without the user knowing or consenting.

Additionally, successful breaches into OkCupid accounts could grant attackers access to users’ profile details, including private personal information, private messages, sexual orientation, personal address, and all submitted answers to the questions asked by OkCupid’s profiling quiz.

Using this information, hackers could maliciously impersonate other users, or otherwise manipulate the target’s information for nefarious ends.

Researchers from Check Point detailed the three-step attack method which would have enabled a hacker to target users: 

  1. The hacker generates a malicious link containing a targeted payload that initiates the attack 
  2. The hacker sends the link to the intended target, or publishes it in a public forum for users to click on 
  3. Once the victim clicks the link to open it, the malicious code is executed, giving the hacker access to the target’s account.

OkCupid is one of the largest online dating service providers in the world, with an average of 50,000 dates arranged per week from around 90 million annual connections. The service saw a 20% bump in conversations since COVID-19 lockdowns were imposed globally.

As is the case in many other arenas, online dating services have become more of a target since the pandemic began, and the nature of the service means there are troves of private user data ripe for picking.

“Our research into OkCupid, which is one of the most popular dating platforms, has raised some serious questions over the security of all dating apps and websites,” says Check Point head of products vulnerability research Oded Vanunu.

“We demonstrated that users’ private details, messages and photos could be accessed and manipulated by a hacker, so every developer and user of a dating app should pause to reflect on the levels of security around the intimate details and images that they host and share on these platforms. 

“Thankfully, OkCupid responded to our findings immediately and responsibly to mitigate these vulnerabilities on their mobile app and website.” 

Once discovered, Check Point researchers promptly disclosed their findings to OkCupid. OkCupid acknowledged and fixed the security flaws in its servers, so users do not need to take any action. 

“Check Point Research informed OkCupid developers about the vulnerabilities exposed in this research and a solution was responsibly deployed to ensure its users can safely continue using the OkCupid app,” a statement from OkCupid read.

“Not a single user was impacted by the potential vulnerability on OkCupid, and we were able to fix it within 48 hours. 

“We're grateful to partners like Check Point who with OkCupid, put the safety and privacy of our users first.”

Story image
Cybersecurity strategies must involve every part of the organisation - study
In the past year, a third of the breaches incorporated social engineering techniques and the cost of a breach caused by a human error averaged to $3.33 million. More
Story image
Entrust acquires HyTrust, with aim to improve data encryption solutions
Entrust says the acquisition will bolster its effort to deliver data protection and compliance solutions to its customers, while accelerating their digital transformations.More
Story image
The current state of ransomware — and its future
Discoveries made by analysts at Sophos have unearthed a new development: ransomware code appears to have been shared across ‘families’, and some of the ransomware groups seemed to work in collaboration more than in competition with one another. More
Story image
Check Point invests in local cloud capabilities in A/NZ
As public cloud usage in Australia and New Zealand grows, the company says it will continue to invest locally to support businesses.More
Story image
Check Point exposes Android malware vendor using dark net to rebrand products
Check Point security researchers have exposed an Android malware vendor using a marketer on the dark net to rebrand its products, with the intention of supercharging business and throwing off security vendors. More
Story image
Red Hat to acquire Kubernetes-native security provider StackRox
Red Hat will further expand its security offering, adding StackRox's complementary capabilities to strengthen integrated security across its open hybrid cloud portfolio.More