Editor’s brief: With the modern iterative and agile way of developing apps and websites, it is no wonder that users tend to become “beta testers” for companies. Vulnerabilities tend to be found and patched, and new vulnerabilities may emerge. Even the good old fashioned dating by meeting face to face, has been supplanted by apps on smartphones and screens. With the digitalization of dating, it is imperative that users be careful of the apps they use, and the people whom they “meet” online, lest they fall into scams and other more dire cybersecurity incursions. Check Point Software, a leading cybersecurity vendor, recently announced that they have assisted OKCupid to find vulnerabilities and help fix those flaws in the dating company’s website and app. The vendor’s news release is below.
Avoiding Dating Disasters: Check Point Research Helps to Mitigate Significant Vulnerabilities in OkCupid’s Website and Mobile App
Check Point researchers demonstrate how a hacker could have accessed users’ sensitive data – full profile details, private messages, images and email addresses – on OkCupid, the leading free online dating platform
SINGAPORE – July 30, 2020 – Check Point Research, the Threat Intelligence arm of Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading provider of cyber security solutions globally, recently identified and helped mitigate several security flaws on OkCupid’s website and mobile app. If exploited, the vulnerabilities would have allowed a hacker to access and steal the private data of OkCupid users, and send messages from their account without users’ knowledge.
Launched in 2004, OkCupid is now one of the leading free online dating services globally with over 50 million registered users and used in 110 countries. In 2019, 91 million connections were made via the site annually, with an average of 50,000 dates arranged every week. During the Covid-19 pandemic, OkCupid has seen a 20% increase in conversations. However, the detailed personal information submitted by users also makes online dating services targets for threat actors, either for targeted attacks, or for selling on to other hackers.
Check Point researchers demonstrated that the vulnerabilities in OkCupid’s app and website could give a hacker access to a user’s full profile details, private messages, sexual orientation, personal addresses, and all submitted answers to OkCupid’s profiling questions. The flaws would also have enabled the hacker to manipulate the target user’s profile data and send new messages to other users from their account – enabling the hacker to impersonate the real user for further fraudulent or malicious activities.
Researchers detailed the three-step attack method which would have enabled a hacker to target users:
- The hacker generates a malicious link containing a targeted payload that initiates the attack
- The hacker sends the link to the intended target, or publishes it in a public forum for users to click on
- Once the victim clicks the link to open it, the malicious code is executed, giving the hacker access to the target’s account
Oded Vanunu, Head of Products Vulnerability Research at Check Point, said: “Our research into OkCupid, which is one of the most popular dating platforms, has raised some serious questions over the security of all dating apps and websites. We demonstrated that users’ private details, messages and photos could be accessed and manipulated by a hacker, so every developer and user of a dating app should pause to reflect on the levels of security around the intimate details and images that they host and share on these platforms. Thankfully, OkCupid responded to our findings immediately and responsibly to mitigate these vulnerabilities on their mobile app and website.”
Check Point researchers responsibly disclosed their findings to OkCupid. OkCupid acknowledged and fixed the security flaws in its servers, so users do not need to take any action. Following the disclosure and fixing of the vulnerabilities, OkCupid issued this statement: “Check Point Research informed OkCupid developers about the vulnerabilities exposed in this research and a solution was responsibly deployed to ensure its users can safely continue using the OkCupid app. Not a single user was impacted by the potential vulnerability on OkCupid, and we were able to fix it within 48 hours. We’re grateful to partners like Check Point who with OkCupid, put the safety and privacy of our users first.”
For details of the vulnerabilities and a video showing how they could be exploited, visit https://research.checkpoint.com
About Check Point Research
Check Point Research provides leading cyber threat intelligence to Check Point Software customers and the greater intelligence community. The research team collects and analyses global cyber-attack data stored on ThreatCloud to keep hackers at bay, while ensuring all Check Point products are updated with the latest protections. The research team consists of over 100 analysts and researchers cooperating with other security vendors, law enforcement and various CERTs.
Follow Check Point Research via:
About Check Point Software Technologies Ltd.
Check Point Software Technologies Ltd. (www.checkpoint.com) is a leading provider of cyber security solutions to governments and corporate enterprises globally. Check Point’s solutions protect customers from 5th generation cyber-attacks with an industry leading catch rate of malware, ransomware and advanced targeted threats. Check Point offers a multilevel security architecture, “Infinity Total Protection with Gen V advanced threat prevention”, this combined product architecture defends an enterprises’ cloud, network and mobile devices. Check Point provides the most comprehensive and intuitive one point of control security management system. Check Point protects over 100,000 organisations of all sizes.