sb-au logo
Story image

OkCupid website and app found to have significant security flaws

30 Jul 2020

Online dating service OkCupid has come under scrutiny after Check Point Research discovered several security flaws in both the company’s website and app.

Check Point revealed that the vulnerabilities, if exploited, would have allowed a hacker to access and steal the private data of OkCupid users, as well as potentially send messages from users’ accounts without the user knowing or consenting.

Additionally, successful breaches into OkCupid accounts could grant attackers access to users’ profile details, including private personal information, private messages, sexual orientation, personal address, and all submitted answers to the questions asked by OkCupid’s profiling quiz.

Using this information, hackers could maliciously impersonate other users, or otherwise manipulate the target’s information for nefarious ends.

Researchers from Check Point detailed the three-step attack method which would have enabled a hacker to target users: 

  1. The hacker generates a malicious link containing a targeted payload that initiates the attack 
  2. The hacker sends the link to the intended target, or publishes it in a public forum for users to click on 
  3. Once the victim clicks the link to open it, the malicious code is executed, giving the hacker access to the target’s account.

OkCupid is one of the largest online dating service providers in the world, with an average of 50,000 dates arranged per week from around 90 million annual connections. The service saw a 20% bump in conversations since COVID-19 lockdowns were imposed globally.

As is the case in many other arenas, online dating services have become more of a target since the pandemic began, and the nature of the service means there are troves of private user data ripe for picking.

“Our research into OkCupid, which is one of the most popular dating platforms, has raised some serious questions over the security of all dating apps and websites,” says Check Point head of products vulnerability research Oded Vanunu.

“We demonstrated that users’ private details, messages and photos could be accessed and manipulated by a hacker, so every developer and user of a dating app should pause to reflect on the levels of security around the intimate details and images that they host and share on these platforms. 

“Thankfully, OkCupid responded to our findings immediately and responsibly to mitigate these vulnerabilities on their mobile app and website.” 

Once discovered, Check Point researchers promptly disclosed their findings to OkCupid. OkCupid acknowledged and fixed the security flaws in its servers, so users do not need to take any action. 

“Check Point Research informed OkCupid developers about the vulnerabilities exposed in this research and a solution was responsibly deployed to ensure its users can safely continue using the OkCupid app,” a statement from OkCupid read.

“Not a single user was impacted by the potential vulnerability on OkCupid, and we were able to fix it within 48 hours. 

“We're grateful to partners like Check Point who with OkCupid, put the safety and privacy of our users first.”

Story image
Fortinet SOARs to new heights of protection on the wings of AI & automation
Jon McGettigan, Fortinet A/NZ Regional Director, talks about SOAR (security orchestration, automation and response) and explains that effective SOAR starts with your security policy.More
Story image
The guide to digital security in unstable times
An increase in vulnerability across different sectors has meant that 2020 has seen more than its fair share of cybersecurity incidents. One of the most effective ways to combat the perils of today’s cyber-threats is to gain a better knowledge of the threat vectors looming over the heads of organisations. More
Link image
Why performance monitoring is essential to keep cloud costs down
Cloud comes with many different associated costs, which can sneak up on organisations and drive down efficiency. Here's how to reduce costs by up to 50%.More
Story image
Yubico launches latest YubiKey with NFC & USB-C support
Yubico has released a new hardware authentication key, designed to provide security through both near-field communication (NFC) and USB-C connections and smart card support.More
Story image
75% of IT execs 'worried' about being targeted in cyber-attack
A new report from ConnectWise has shed light on the widespread concern about cyber-attacks, with 91% of SMB executives considering a move to an MSP if it provided the 'right' solution.More
Story image
Proofpoint and CyberArk extend partnership to further safeguard high-risk users
“Our CyberArk partnership extension provides security teams with increased detection and enhanced adaptive controls to help prevent today’s most severe threats."More