Cybersecurity researchers today disclosed several security issues in popular online dating platform OkCupid that could potentially let attackers remotely spy on users’ private information or perform malicious actions on behalf of the targeted accounts.
According to a report shared with The Hacker News, researchers from Check Point found that the flaws in OkCupid’s Android and web applications could allow the theft of users’ authentication tokens, users IDs, and other sensitive information such as email addresses, preferences, sexual orientation, and other private data.
After Check Point researchers responsibly shared their findings with OkCupid, the Match Group-owned company fixed the issues, stating, “not a single user was impacted by the potential vulnerability.”
The Chain of Flaws
The flaws were identified as part of reverse engineering of OkCupid’s Android app version 40.3.1, which was released on April 29 earlier this year. Since then, there have been 15 updates to the app with the most recent version (43.3.2) hitting Google Play Store yesterday.
Check Point said OkCupid’s use of deep links could enable a bad actor to send a custom link defined in the app’s manifest…