Fragile Data visibility & Performing actions with respect to the target

Fragile Data visibility & Performing actions with respect to the target

As much as this aspect, we’re able to launch the OkCupid application that is mobile a deep link, containing a harmful JavaScript rule when you look at the part parameter. The following screenshot shows the ultimate XSS payload which loads jQuery and then lots JavaScript rule through the attacker’s host: (please be aware the top of area offers the XSS payload additionally the base section is the identical payload encoded with URL encoding):

The after screenshot shows an HTTP GET demand containing the last XSS payload (part parameter):

The server replicates the payload delivered earlier into the day within the part parameter as well as the injected code that is javaScript performed within the context associated with the WebView.

As previously mentioned before, the ultimate XSS payload lots a script file through the attacker’s host. The loaded code that is javaScript be properly used for exfiltration and account contains 3 functions:

  1. steal_token – Steals users’ verification token, oauthAccessToken, and also the users’ id, userid. Users’ sensitive information (PII), such as for instance email, is exfiltrated aswell.
  2. steal_data – Steals users’ profile and data that are private preferences, users’ characteristics ( ag e.g. responses filled during registration), and much more.
  3. Send_data_to_attacker – send the data collected in functions 1 and 2 into the attacker’s host.

steal_token function:

The big event produces A japancupid.com api call to the host. Users’ snacks are provided for the host because the XSS payload is performed within the context associated with the application’s WebView.

The host reacts having A json that is vast the users’ id while the verification token too:

Steal information function:

An HTTP is created by the function request endpoint.

In line with the information exfiltrated into the function that is steal_token the demand will be delivered utilizing the verification token as well as the user’s id.

The server reacts with all the current information about the victim’s profile, including e-mail, intimate orientation, height, household status, etc.

Send information to attacker function:

The big event produces a POST request towards the attacker’s host containing all the details retrieved in the function that is previous (steal_token and steal_data functions).

The screenshot that is following an HTTP POST demand provided for the attacker’s server. The demand human body contains all the victim’s information that is sensitive

Performing actions with respect to the target can be feasible because of the exfiltration associated with victim’s verification token additionally the users’ id. These records can be used into the harmful JavaScript rule (just like used in the steal_data function).

An assailant can perform actions such as forward messages and alter profile data because of the information exfiltrated within the function that is steal_token

  1. Authentication token, oauthAccessToken, is employed when you look at the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform account that is full considering that the snacks are protected with HTTPOnly.

the knowledge exfiltrated within the function that is steal_token

  1. Authentication token, oauthAccessToken, is employed when you look at the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform account that is full considering that the snacks are protected with HTTPOnly.

Internet System Vulnerabilities Mis-configured Cross-Origin Site Sharing Policy Contributes To Fragile Information Visibility

for the duration of the research, we now have unearthed that the CORS policy regarding the API host api.OkCupid.com just isn’t configured correctly and any beginning can deliver demands towards the host and read its’ reactions. The following demand shows a demand delivered the API host through the beginning

The host will not validate the origin properly and reacts aided by the required information. Furthermore, the host reaction contains Access-Control-Allow-Origin: and Access-Control-Allow-Credentials: real headers:

Only at that point on, we knew that individuals can deliver demands towards the API host from our domain without getting obstructed because of the CORS policy.

The moment a target is authenticated on OkCupid browsing and application towards the attacker’s internet application, an HTTP GET demand is delivered to containing the victim’s snacks. The server’s reaction has a vast json, containing the victim’s verification token plus the victim’s user_id.

We’re able to find much more data that are useful the bootstrap API endpoint – sensitive and painful API endpoints when you look at the API host:

The following screenshot shows delicate PII data exfiltration from the /profile/ API endpoint, with the victim’s user_id plus the access_token:

The after screenshot shows exfiltration regarding the victim’s communications through the /1/messages/ API endpoint, making use of the victim’s user_id plus the access_token:

Summary

The field of online-dating apps is rolling out quickly across the years, and matured to where it’s at today utilizing the change to a electronic globe, specially in the past 6 months – considering that the outbreak of Coronavirus around the world. The “new normal” habits such as for instance as “social distancing” have actually pressed the dating globe to entidepend count on electronic tools for help.

The study offered right here shows the potential risks connected with among the longest-established & most apps that are popular its sector. The serious significance of privacy and information safety becomes more essential whenever a great deal personal and intimate information being stored, managed and analyzed in a application. The platform and app was made to carry individuals together, but needless to say where individuals get, crooks follows, to locate effortless pickings.