Logo Loading

We ship nationwide. 30-day return policy. Free standard shipping on orders over $75.

  • 0
    • No products in the cart.

Fragile Data visibility & Performing actions with respect to the target

Fragile Data visibility & Performing actions with respect to the target

As much as this aspect, we’re able to launch the OkCupid mobile application making use of a deep website website link, containing a harmful JavaScript rule within the area parameter. The screenshot that is following the ultimate XSS payload which loads jQuery and then lots JavaScript rule through the attacker’s host: (please be aware the top of area provides the XSS payload and also the base section is similar payload encoded with URL encoding):

The after screenshot shows an HTTP GET demand containing the last XSS payload (section parameter):

The host replicates the payload delivered earlier within the day in the area parameter together with injected JavaScript code is performed into the context associated with the WebView.

As previously mentioned before, the last XSS payload lots a script file through the attacker’s host. The loaded code that is javaScript be applied for exfiltration and account contains 3 functions:

  1. steal_token – Steals users’ verification token, oauthAccessToken, additionally the users’ id, userid. Users’ sensitive information (PII), such as for instance current email address, is exfiltrated aswell.
  2. steal_data – Steals users’ profile and data that are private choices, users’ characteristics ( ag e.g. responses filled during registration), and much more.
  3. Send_data_to_attacker – send the data collected in functions 1 and 2 towards the attacker’s host.

steal_token function:

The event produces a call that is api the host. Users’ snacks are delivered to the host considering that the XSS payload is executed when you look at the context regarding the application’s WebView.

The chat waplog host reacts having A json that is vast the users’ id in addition to verification token too:

Steal information function:

An HTTP is created by the function request endpoint.

On the basis of the information exfiltrated within the steal_token function, the demand has been delivered utilizing the verification token and also the user’s id.

The host reacts while using the information about the victim’s profile, including e-mail, intimate orientation, height, household status, etc.

Forward information to attacker function:

The event produces a POST request to your attacker’s host containing all the details retrieved in the function that is previous (steal_token and steal_data functions).

The after screenshot shows an HTTP POST demand provided for the attacker’s server. The demand human anatomy contains all the victim’s information that is sensitive

Performing actions on behalf of the target can also be feasible as a result of the exfiltration of this victim’s authentication token and also the users’ id. These records can be used within the harmful JavaScript rule (just like used in the steal_data function).

An attacker can perform actions such as forward messages and alter profile data as a result of the information exfiltrated when you look at the function that is steal_token

  1. Authentication token, oauthAccessToken, can be used when you look at the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform complete account takeover considering that the snacks are protected with HTTPOnly.

the information and knowledge exfiltrated within the steal_token function:

  1. Authentication token, oauthAccessToken, is employed into the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform full account takeover considering that the snacks are protected with HTTPOnly.

Online System Vulnerabilities Mis-configured Cross-Origin Site Sharing Policy Results In Sensitive Data Publicity

for the duration of the research, we now have discovered that the CORS policy for the API host api.OkCupid.com just isn’t configured correctly and any beginning can deliver needs to your host and read its’ reactions. The after demand shows a demand delivered the API host through the beginning

The host will not correctly validate the foundation and reacts utilizing the required information. Furthermore, the host reaction contains Access-Control-Allow-Origin: and Access-Control-Allow-Credentials: real headers:

Only at that true point on, we knew that people can deliver demands towards the API host from our domain without getting obstructed because of the CORS policy.

The moment a target is authenticated on OkCupid browsing and application into the attacker’s internet application, an HTTP GET demand is delivered to containing the victim’s snacks. The server’s reaction contains a vast json, containing the victim’s verification token and also the victim’s user_id.

We’re able to find much more data that are useful the bootstrap API endpoint – sensitive and painful API endpoints into the API host:

The screenshot that is following delicate PII data exfiltration from the /profile/ API endpoint, utilising the victim’s user_id as well as the access_token:

The after screenshot shows exfiltration associated with the victim’s communications through the /1/messages/ API endpoint, with the victim’s user_id and also the access_token:


The planet of online-dating apps has continued to develop quickly over the years, and matured to where it is at today because of the transformation up to a electronic globe, specially in the past 6 months – because the outbreak of Coronavirus around the world. The “new normal” habits such as for instance as “social distancing” have actually forced the dating globe to entirely count on electronic tools for help.

The research introduced right here shows the potential risks related to one of many longest-established & most popular apps in its sector. The serious importance of privacy and information protection becomes much more essential whenever plenty personal and intimate information being stored, handled and analyzed in a application. The software and platform was made to create individuals together, but needless to say where individuals get, criminals will observe, to locate simple pickings.

Leave a Reply

Your email address will not be published. Required fields are marked *