Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Vulnerability in dating site OkCupid could be used to trick users into ‘liking’ or messaging other profiles

A security vulnerability in popular dating site OkCupid meant an attacker could dupe users into unknowingly ‘liking’ or sending messages to other profiles.

The flaw, which earned its finder an undisclosed bug bounty reward, has now been patched.

Contingent on tricking victims into clicking a malicious link, the feat was achieved by combining a cross-site request forgery (CSRF) bug with a “JSON type confusion” vulnerability, explained Yan Zhu, security engineer at privacy-focused browser Brave, in a blog post.

“Obviously you could abuse this in order to match with anyone you could trick into clicking a link, or you could spam the link to a bunch of people to increase your profile’s rankings in whatever mysterious algorithm OkCupid uses to suggest people,” continued Zhu.

“It also occurred to me that if I redirected my website to the CSRF link that automatically sent a message to me, I could see the OkCupid profiles of my website visitors who were logged into okcupid.com, which would make for an intense web analytics tool.”

Cunning Casanova

The researcher studied OkCupid after “checking if websites were sending CSRF tokens alongside requests that require authentication, like sending messages to another user from your account”.

She noticed that messages sent on the dating site were sent via POST requests that lacked protective CSRF tokens to https://www.okcupid.com/1/apitun/messages/send with a JSON-encoded body.

Zhu then created a webpage that, after some trial and error, successfully sent a cross-origin POST request to OkCupid’s message-sending endpoint on the third attempt.

She tested the exploit against friends who had active OkCupid profiles, explaining that: “Lo and behold, my OkCupid test profile was serenaded by a series of messages that they didn’t mean to send me.”

Zhu joked: “I briefly felt very popular, which made it all worthwhile.”

OkCupid, which was alerted to the flaw during April 2021, told the researcher that it had promptly fixed the flaw.

Interrogate your inputs

Zhu also investigated whether other sites’ authenticated endpoints similarly accepted POSTs with content-type: text/plain, despite expecting JSON.

Of 215 endpoints associated with Alexa’s top 500 sites that sought requests containing api or json, 87 failed to return errors, with many apparently returning JSON responses.

“Granted most of these are probably not authenticated endpoints and some of them may need to accept non-JSON text, but this suggests to me that developers should be careful accepting text/plain inputs on endpoints that parse JSON,” concluded Zhu.

Regardless, however, she also noted that setting your browser’s SameSite cookie attribute to ‘Strict’ effectively prevents this, most other CSRF attacks.

Advertisement. Scroll to continue reading.

The Daily Swig has contacted OkCupid for further comment. We will update the article if we receive a response.

Source: https://portswigger.net/daily-swig/vulnerability-in-dating-site-okcupid-could-be-used-to-trick-users-into-liking-or-messaging-other-profiles

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO