Researchers demonstrate how a hacker could have accessed users’ sensitive data on OkCupid, a free online dating platform.

Security flaws on a free online dating platform could have resulted in dating disasters. If the flaws had been exploited, the vulnerabilities would have allowed hackers to access and steal the private data of OkCupid users, and then send messages from their account with impunity.

OkCupid has over 50 million registered users and it is used in 110 countries. During the ongoing pandemic, OkCupid saw a 20% increase in conversations. However, the detailed personal information submitted by users also makes online dating services a lucrative target for threat actors, either for targeted attacks, or for selling stolen information to other hackers.

Researchers at cybersecurity firm Check Point demonstrated that the vulnerabilities in OkCupid’s app and website could give a hacker access to a user’s full profile details, private messages, sexual orientation, personal addresses, and all the answers ever submitted to OkCupid’s profiling questions.

The flaws would also have enabled hackers to manipulate the target user’s profile data and send new messages to other users from their account—enabling them to impersonate the real user for further fraudulent or malicious activities.

Date hacking 1-2-3

Researchers detailed a three-step attack method which would have enabled a hacker to target users:

  1. The hacker generates a malicious link containing a targeted payload that initiates the attack
  2. The hacker sends the link to the intended target, or publishes it in a public forum for users to click on
  3. Once the victim clicks the link to open it, the malicious code is executed, giving the hacker access to the target’s account

Said Oded Vanunu, Head of Products Vulnerability Research, Check Point: “Our research into OkCupid has raised some serious questions over the security of all dating apps and websites. We demonstrated that users’ private details, messages and photos could be accessed and manipulated by a hacker, so every developer and user of a dating app should pause to reflect on the levels of security around the intimate details and images that they host and share on these platforms.”

Fortunately, the team at OkCupid has responded to Check Point’s disclosure of their findings and has immediately and responsibly mitigated these vulnerabilities on their mobile app and website. Users do not need to take any action. According to their official statement, “not a single user was impacted by the potential vulnerability on OkCupid, and we were able to fix it within 48 hours. We’re grateful to partners like Check Point who with OkCupid, put the safety and privacy of our users first.”