OkCupid vulnerabilities allow attackers to hijack user accounts

With over 50 million registered users, OkCupid is one of the largest players in the online dating game, aided by the social distancing measures imposed by governments across the globe in response to the coronavirus pandemic.

An expanding user base and the wealth of information contained in dating apps accounts makes them a particularly ripe target for cybercriminals. Cybersecurity firm Check Point Research has disclosed a set of vulnerabilities that, if exploited, would have allowed an attacker to hijack OkCupid accounts, as well as to steal authentication tokens, IDs and email addresses. 

After reverse engineering the software, researchers found a deep link functionality that would have allowed threat actors to send malicious link to open the mobile app. Other attack vectors such as Cross-Site Scripting were also possible due to coding issues in the app’s user setting functionality.