Sensitive Data visibility & Performing actions with respect to the target

Sensitive Data visibility & Performing actions with respect to the target

As much as this aspect, we’re able to launch the OkCupid application that is mobile a deep website link, containing a harmful JavaScript rule within the part parameter. The after screenshot shows the last XSS payload which loads jQuery and then lots JavaScript rule through the attacker’s host: (take note the top of area offers the XSS payload additionally the base section is the identical payload encoded with URL encoding):

The after screenshot shows an HTTP GET demand containing the ultimate XSS payload (part parameter):

The host replicates the payload delivered previous within the part parameter in addition to injected code that is javaScript performed when you look at the context associated with the WebView.

As mentioned before, the ultimate XSS payload lots a script file through the attacker’s server. The loaded JavaScript code will be utilized for exfiltration and account contains 3 functions:

  1. steal_token – Steals users’ verification token, oauthAccessToken, plus the users’ id, userid. Users’ sensitive information (PII), such as for instance current email address, is exfiltrated aswell.
  2. steal_data – Steals users’ profile and data that are private choices, users’ characteristics ( ag e.g. responses filled during registration), and much more.
  3. Send_data_to_attacker – send the data gathered in functions 1 and 2 into the attacker’s host.

steal_token function:

The big event produces a call that is api the host. Users’ snacks are delivered to the host considering that the XSS payload is performed within the context regarding japan cupid mobile the application’s WebView.

The host reacts having a vast json containing the users’ id and also the verification token too:

Steal information function:

The event produces an HTTP request endpoint.

On the basis of the information exfiltrated within the steal_token function, the demand has been delivered using the verification token while the user’s id.

The host responds with the information about the victim’s profile, including email, intimate orientation, height, household status, etc.

Forward information to attacker function:

The big event produces a POST request to your attacker’s host containing all the details retrieved in the past function telephone calls (steal_token and steal_data functions).

The after screenshot shows an HTTP POST demand sent to the attacker’s host. The demand human body contains all the victim’s delicate information:

Performing actions with respect to the target can also be feasible as a result of exfiltration of this victim’s verification token together with users’ id. These records is employed within the harmful JavaScript rule (just like used in the steal_data function).

An attacker can perform actions such as forward messages and alter profile data as a result of the information exfiltrated into the function that is steal_token

  1. Authentication token, oauthAccessToken, is employed into the authorization header (bearer value).
  2. Consumer id, userId, is added as required.

Note: An attacker cannot perform account that is full considering that the snacks are protected with HTTPOnly.

the information and knowledge exfiltrated into the steal_token function:

  1. Authentication token, oauthAccessToken, can be used into the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform account that is full because the cookies are protected with HTTPOnly.

Internet System Vulnerabilities Mis-configured Cross-Origin Site Sharing Policy Results In Fragile Information Visibility

for the duration of the investigation, we’ve unearthed that the CORS policy associated with the API host just isn’t configured precisely and any beginning can deliver needs to your host and read its responses that are. The after demand shows a demand delivered the API host through the beginning

The host will not correctly validate the foundation and reacts with all the requested information. Furthermore, the host reaction contains Access-Control-Allow-Origin: and Access-Control-Allow-Credentials: real headers:

Only at that true point on, we understood we can deliver needs into the API host from our domain without having to be obstructed because of the CORS policy.

The moment a target is authenticated on OkCupid application and browsing into the attacker’s internet application, an HTTP GET demand is delivered to containing the victim’s cookies. The server’s response contains A json that is vast containing the victim’s verification token as well as the victim’s user_id.

We’re able to find much more helpful information in the bootstrap API endpoint – sensitive API endpoints into the API host:

The after screenshot shows sensitive and painful PII data exfiltration from the /profile/ API endpoint, utilising the victim’s user_id as well as the access_token:

The screenshot that is following exfiltration associated with victim’s communications through the /1/messages/ API endpoint, utilising the victim’s user_id as well as the access_token:


The field of online-dating apps is rolling out quickly over the years, and matured to where it is at today using the transformation to a electronic globe, particularly in the past 6 months – considering that the outbreak of Coronavirus around the world. The “new normal” habits such as for example as “social distancing” have actually forced the dating globe to entidepend depend on electronic tools for help.

The study offered right right right here shows the potential risks related to among the longest-established and a lot of apps that are popular its sector. The serious dependence on privacy and information safety becomes a lot more important whenever plenty personal and intimate information being stored, handled and analyzed in a software. The application and platform was made to create individuals together, but needless to say where individuals get, crooks will observe, seeking effortless pickings.

Add a comment

*Please complete all fields correctly

Related Blogs

No Image