Check Point Press Releases

Avoiding Dating Disasters: Check Point Research Helps to Mitigate Significant Vulnerabilities in OkCupid’s Website and Mobile App

Check Point researchers demonstrate how a hacker could have accessed users’ sensitive data – full profile details, private messages, images and email addresses – on OkCupid, the leading free online dating platform


San Carlos, CA  —  Wed, 29 Jul 2020

Check Point Research, the Threat Intelligence arm of Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading provider of cyber security solutions globally, recently identified and helped mitigate several security flaws on OkCupid’s website and mobile app.  If exploited, the vulnerabilities would have allowed a hacker to access and steal the private data of OkCupid users, and send messages from their account without users’ knowledge.

Launched in 2004, OkCupid is now one of the leading free online dating services globally with over 50 million registered users and used in 110 countries. In 2019, 91 million connections were made via the site annually, with an average of 50,000 dates arranged every week. During the Covid-19 pandemic, OkCupid has seen a 20% increase in conversations. However, the detailed personal information submitted by users also makes online dating services targets for threat actors, either for targeted attacks, or for selling on to other hackers.

Check Point researchers demonstrated that the vulnerabilities in OkCupid’s app and website could give a hacker access to a user’s full profile details, private messages, sexual orientation, personal addresses, and all submitted answers to OkCupid’s profiling questions. The flaws would also have enabled the hacker to manipulate the target user’s profile data and send new messages to other users from their account – enabling the hacker to impersonate the real user for further fraudulent or malicious activities.

Researchers detailed the three-step attack method which would have enabled a hacker to target users:

  1. The hacker generates a malicious link containing a targeted payload that initiates the attack
  2. The hacker sends the link to the intended target, or publishes it in a public forum for users to click on
  3. Once the victim clicks the link to open it, the malicious code is executed, giving the hacker access to the target’s account

Oded Vanunu, Head of Products Vulnerability Research at Check Point, said: “Our research into OkCupid, which is one of the most popular dating platforms, has raised some serious questions over the security of all dating apps and websites. We demonstrated that users’ private details, messages and photos could be accessed and manipulated by a hacker, so every developer and user of a dating app should pause to reflect on the levels of security around the intimate details and images that they host and share on these platforms.  Thankfully, OkCupid responded to our findings immediately and responsibly to mitigate these vulnerabilities on their mobile app and website.”

Check Point researchers responsibly disclosed their findings to OkCupid. OkCupid acknowledged and fixed the security flaws in its servers, so users do not need to take any action.  Following the disclosure and fixing of the vulnerabilities, OkCupid issued this statement: “Check Point Research informed OkCupid developers about the vulnerabilities exposed in this research and a solution was responsibly deployed to ensure its users can safely continue using the OkCupid app. Not a single user was impacted by the potential vulnerability on OkCupid, and we were able to fix it within 48 hours. We’re grateful to partners like Check Point who with OkCupid, put the safety and privacy of our users first.”

 

For details of the vulnerabilities and a video showing how they could be exploited, visit https://research.checkpoint.com

 

Follow Check Point Research via:
Blog: https://research.checkpoint.com/
Twitter: https://twitter.com/_cpresearch_

About Check Point Research

Check Point Research provides leading cyber threat intelligence to Check Point Software customers and the greater intelligence community. The research team collects and analyzes global cyber-attack data stored on ThreatCloud to keep hackers at bay, while ensuring all Check Point products are updated with the latest protections. The research team consists of over 100 analysts and researchers cooperating with other security vendors, law enforcement and various CERTs.

 

About Check Point Software Technologies Ltd.

Check Point Software Technologies Ltd. (www.checkpoint.com) is a leading provider of cyber security solutions to governments and corporate enterprises globally. Its solutions protect customers from 5th generation cyber-attacks with an industry leading catch rate of malware, ransomware and other types of attacks. Check Point offers multilevel security architecture, “Infinity” Total Protection with Gen V advanced threat prevention, which defends enterprises’ cloud, network and mobile device held information. Check Point provides the most comprehensive and intuitive one point of control security management system. Check Point protects over 100,000 organizations of all sizes.

 

This website uses cookies to ensure you get the best experience. Got it, Thanks! MORE INFO