sb-eu logo
Story image

OkCupid website and app found to have significant security flaws

30 Jul 2020

Online dating service OkCupid has come under scrutiny after Check Point Research discovered several security flaws in both the company’s website and app.

Check Point revealed that the vulnerabilities, if exploited, would have allowed a hacker to access and steal the private data of OkCupid users, as well as potentially send messages from users’ accounts without the user knowing or consenting.

Additionally, successful breaches into OkCupid accounts could grant attackers access to users’ profile details, including private personal information, private messages, sexual orientation, personal address, and all submitted answers to the questions asked by OkCupid’s profiling quiz.

Using this information, hackers could maliciously impersonate other users, or otherwise manipulate the target’s information for nefarious ends.

Researchers from Check Point detailed the three-step attack method which would have enabled a hacker to target users: 

  1. The hacker generates a malicious link containing a targeted payload that initiates the attack 
  2. The hacker sends the link to the intended target, or publishes it in a public forum for users to click on 
  3. Once the victim clicks the link to open it, the malicious code is executed, giving the hacker access to the target’s account.

OkCupid is one of the largest online dating service providers in the world, with an average of 50,000 dates arranged per week from around 90 million annual connections. The service saw a 20% bump in conversations since COVID-19 lockdowns were imposed globally.

As is the case in many other arenas, online dating services have become more of a target since the pandemic began, and the nature of the service means there are troves of private user data ripe for picking.

“Our research into OkCupid, which is one of the most popular dating platforms, has raised some serious questions over the security of all dating apps and websites,” says Check Point head of products vulnerability research Oded Vanunu.

“We demonstrated that users’ private details, messages and photos could be accessed and manipulated by a hacker, so every developer and user of a dating app should pause to reflect on the levels of security around the intimate details and images that they host and share on these platforms. 

“Thankfully, OkCupid responded to our findings immediately and responsibly to mitigate these vulnerabilities on their mobile app and website.” 

Once discovered, Check Point researchers promptly disclosed their findings to OkCupid. OkCupid acknowledged and fixed the security flaws in its servers, so users do not need to take any action. 

“Check Point Research informed OkCupid developers about the vulnerabilities exposed in this research and a solution was responsibly deployed to ensure its users can safely continue using the OkCupid app,” a statement from OkCupid read.

“Not a single user was impacted by the potential vulnerability on OkCupid, and we were able to fix it within 48 hours. 

“We're grateful to partners like Check Point who with OkCupid, put the safety and privacy of our users first.”