As social engineering attacks continue to grow at an alarming rate, Check Point’s security team now warns that there is a domain in which it is at risk: dating applications. “We’ve had a lot of cases that have led to a rescue,” they tell me, “bad actors who exploit users, secure their personal information and then attack.”
“We have to see OkCupid,” Oded Vanunu of Check Point tells me, “because it’s one of the most important.” The platform has up to 50 million registered users in more than one hundred countries, only its Android app has been downloaded more than 10 million times. Check Point was the best vulnerability control. “We try to perceive how simple it would be for hackers to target this infrastructure to hijack accounts,” Vanunu says. “It was very simple.”
The good news is that Check Point shared its findings with OkCupid, which helped precipitate a solution. “No single user has been affected by the potential vulnerability,” an OkCupid spokesperson told me. “We had to fix it in 48 hours.” The bad news is that Check Point believes that this is just the tip of an industry-alarming iceberg, that there are many more vulnerabilities to discover.
“We need to raise awareness of users,” Vanunu says. “With this kind of app, you have to perceive that it can be hacked and that you have a lot of personal data at stake.” Taking a step back, you can see your point of view: millions of us exceptionally accept as true with those dating sites and programs to protect our data, our tastes and our dislikes, it’s a real treasure for bad actors.
With OkCupid, Check Point claims that its hacking has allowed everything in one account: personal data and messages, photos, touch data and genuine user identity, including answers to personal and misleading questions that allow the site’s synthetic intelligence engine to be clarified. possible coincidences.
So how did it work? Check Point knew a vulnerability in the OkCupid link scheme, a vulnerability that can be faked via links disguised as belonging to the platform itself, but that were malicious. These links would provide a way to filter the data, an opportunity to cause movements within the platform.
“An attacker can send a custom link,” the team explains in its disclosure. The mobile app will open an Internet (browser) display window: the OkCupid mobile app. Any request will be sent with users’ cookies. This means that a user who clicks on the link on their phone or PC is “authenticated”, giving a full attacker to their account.
The Check Point link may simply be sent by spam, addressed to users indiscriminately. But the team suggests that a targeted attack would be much more likely. “Think about it, it’s reality,” Vanunu warns. “I’m a cybercriminal. I need to rescue people, I need to execute sextortion. I’m on the app. I use a fake ID and locate matches. I’m starting to chat. Then I send this link in a chat itself. And that’s it. I got the check. I can start rescuing the person: “If you don’t need me to provide you with a percentage of this information, send me bitcoins.”
“While complicated social engineering attacks have increased in more than two years,” says Vanunu, “the attacker wants more data on targets. There is a career of knowledge, a career to collect data about users. In this area, other people are freer, have much more personal data, more photos, minds and concepts than those found on classic social media platforms. Dating apps are an escape”.
Check Point also points out that targeting an individual can be a direction for your organization, it can just be a lever point. Most users behave openly, seeking to locate a match, “but there are also users who hide their identity, offering data that can be harmful in the hands. We see it every day when we investigate attacks on organizations, we see the knowledge that allowed the attacker to target the victim.”
And that’s what you shouldn’t forget here: yes, the main express points are about OkCupid, a vulnerability that has been fixed. But, as Vanunu warns, “in my opinion, you can safely target other programs.” And the specific attack vector is secondary to the price of the personal secret knowledge it contains. As we all know very well now, no site or application can be reliable to protect this knowledge in absolute terms.
OkCupid is a component of Match Group, the giant of the online dating world. Other platforms (among dozens) come with Tinder, Plenty Of Fish and Match. “We are grateful to component manufacturers like Checkpoint,” the corporate spokesman told me, “that together with OkCupid it has put the protection and privacy of our users first.”
I am the founder/CEO of Digital Barriers, which develops complex surveillance responses for defense, national security and counter-terrorism. I write about the intersection
I am the founder/CEO of Digital Barriers, which develops complex surveillance responses for defense, national security and combating terrorism. I write about the intersection of geopolitics and cybersecurity, and analyze security and surveillance stories. Contact me at [email protected].