50 million OKCupid users at risk due to security flaws — what to do now
Several flaws found in OkCupid's website and apps
OkCupid, one of the world’s most popular online dating services and a mainstay among the best dating apps for mobile devices, has been left vulnerable to the threat of hacking as a result of several security flaws.
Researchers at cybersecurity firm Check Point discovered a range of dangerous flaws in the website and mobile app of the online dating service, which is used by more than 50 million people globally.
- The best antivirus software to keep you and your devices safe
- VPN: add an extra layer of security with a virtual private network
- Just In: Disney, Microsoft, Nintendo and more hit by source code leak
Data on daters
By leveraging these vulnerabilities, a hacker would have been able to view personal information such as full profiles, messages, email addresses, sexual orientation and other details that users input as part of OkCupid’s profiling process.
The flaws would have also allowed a cybercrook to conduct myriad hostile actions, like “manipulating user profile data and sending messages” from a users’ account -- all without them knowing.
Check Point explained that a hacker could do these things by injecting malicious code into the back end of the OkCupid website and mobile apps.
Simple steps
As part of this process, the hacker would have had to create a “single, malicious link” that would be distributed to users of the online dating service.
A successful breach would have been a case of following three relatively simple steps, which are as follows:
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
- Threat actor generates a link containing a payload that initiates the attack
- Threat actor sends the link to the victim, or publishes it in a public forum
- Once the victim touches or clicks the link, the malicious code is executed, resulting in data exfiltration
Check Point said this attack “enables an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data”.
Oded Vanunu, head of products vulnerability research at Check Point, said: “Our research into OKCupid, which is one of the longest-standing and most popular applications in their sector, has led us to raise some serious questions over the security of dating apps.
“The fundamental questions being: how safe are my intimate details on the application? How easily can someone I don’t know access my most private photos, messages and details? We’ve learned that dating apps can be far from safe.
“Every maker and user of a dating app should pause for a moment to reflect on what more can be done around security, especially as we enter what could be an imminent cyber pandemic. Applications with sensitive personal information, like a dating app, have proven to be targets of hackers, hence the critical importance of securing them.”
Taking action
Since discovering the flaws, Check Point researchers have reported them to OKCupid and the dating site has issued fixes.
OKCupid said: “Check Point Research informed OkCupid developers about the vulnerabilities exposed in this research and a solution was responsibly deployed to ensure its users can safely continue using the OkCupid app.
“Not a single user was impacted by the potential vulnerability on OkCupid, and we were able to fix it within 48 hours. We're grateful to partners like Check Point who with OkCupid put the safety and privacy of our users first.”
This isn’t the first time that a dating website has been breached and seen user data put at the mercy of threat actors.
To stay one step ahead of cybercrooks, you should generate strong passwords, ask yourself if you’re potentially sharing too much personal information online, only use reputable apps and download an antivirus solution.
- More: Stay anonymous without the spend with a cheap VPN
Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!