As social engineering attacks continue to increase at a frightening rate, the security team at Check Point now warns that there is one domain where you are especially at risk—dating apps. “We have had a lot of cases leading to ransom,” they tell me, “bad actors exploiting users, securing their private information, then attacking.”
“We decided to look at OkCupid,” Check Point’s Oded Vanunu tells me, “as it’s one of the biggest.” The platform has as many as 50 million registered users in more than 100 countries, its Android app alone has been downloaded more than 10 million times. Check Point decided it was the ideal test for vulnerabilities. “We wanted to understand how easy it would be for hackers to target this infrastructure to hijack accounts,” Vanunu says. “It was very easy.”
The good news is that Check Point shared its findings with OkCupid, enabling a fix to be rushed out. “Not a single user was impacted by the potential vulnerability,” an OkCupid spokesperson told me. “We were able to fix it within 48 hours.” The bad news is that Check Point thinks this is just the tip of an alarming iceberg across the industry, that there are many more vulnerabilities to be found.
“We want to provide much more awareness to users,” Vanunu now says. “With this type of app, you need to understand it might be hacked and you have a lot of private information at stake.” Stepping back, you can see his point—millions of us are exceptionally trusting of these dating sites and apps to safeguard our information, our likes and dislikes, it’s a genuine treasure trove for bad actors.
With OkCupid, Check Point says that its hack enabled access to everything within an account—private information and messages, photos, a user’s real contact details and identity, even answers to the private and awkward questions that enable the site’s AI engine to filter potential matches.
So, how did it work? Check Point identified a vulnerability in OkCupid’s link scheme, one that could be spoofed by links disguised as belonging to the platform itself, but which were malicious. These links would provide a route to exfiltrate data, an opportunity to trigger actions within the platform.
“An attacker can send a custom link,” the team explains in its disclosure. The mobile application will open a webview (browser) window—OkCupid mobile application. Any request will be sent with the users’ cookies.” This means that a user clicking the link on their phone or computer would “credentialize” themselves, providing an attacker with full access to their account.
Check Point’s link could be spammed out, targeting users indiscriminately. But the team suggests a targeted attack would be much more likely. “Think about this, this is the reality,” Vanunu warns. “I’m a cyber criminal. I want to ransom people, I want to execute sextortion. I’m in the app. I use a fake ID and find matches. I start chatting. Then I send this link in a chat itself. And that’s it. I have the account. I can start to ransom the person: ‘If you don’t want me to share this info send me bitcoin’.”
Check Point warns that dating apps have become a ready source of actionable data for cyber criminals—whether that data is pulled through a vulnerability or just tricked out of users by social engineering. Remember, there are many ways to pull IDs and passwords, it doesn’t have to be as direct as this.
“As sophisticated social engineering attacks have increased in the last two years,” Vanunu explains, “attacker require more information about targets. There is a race for data, a race to collect info about users. In this domain, people are much more free, they share much more private information, more pictures, thoughts and ideas than you will find on regular social media platforms. Dating apps are an escape.”
Check Point also points out that targeting an individual may be a route into their organization, it may be simply a point of leverage. Most users conduct themselves openly, looking to find a match, “but there are also users hiding their identity, providing information that can be dangerous in the wrong hands. We see this daily when we do forensics on attacks on organisations, we see the data that allowed the attacker to target the victim.”
And that’s the takeaway here—yes, the specific detail is on OkCupid, a vulnerability that has been fixed. But, as Vanunu warns, “in my opinion, the other apps can be targeted for sure.” And the particular attack vector is secondary to the value of the private, secret data contained within. As we should all know full-well by now, no site or app can be trusted to protect that data as an absolute.
OkCupid is part of Match Group, the giant of the online dating world. Its other platforms (among dozens) include Tinder, Plenty Of Fish and Match itself. “We’re grateful to partners like Checkpoint,” the company’s spokesperson told me, “who with OkCupid put the safety and privacy of our users first.”
Vananu’s conclusions are more stark: “We’ve learned that dating apps can be far from safe,” he says. “Every maker and user should pause to reflect on what more can be done around security, especially as we enter what could be an imminent cyber pandemic. Applications with sensitive personal information, like a dating app, have proven to be targets of hackers, hence the critical importance of securing them.”