Researchers found that they could gain access to the popular Android app ‘OkCupid’ when they dug deeply into it. They could easily find out details like email aliases, DOBs , genders , names and locations. In the same way one could easily access information like dating preferences such as whether they are looking for long term or short term relations and if they would want to find new friends etc.
Researchers have found that not all the URLs that pass through the system are vulnerable as OkCupid uses WebView, but some of the URLs are designated as MagicLink which is described as the opening for the bad actors. Magic link can be simply a URL that contains the string /l/. Any link that contains /l/ will pass as a MagicLink. This string is then utilised by the attackers to create a malicious phishing page so that they can share it with unsuspecting users who would then enter their login usernames and passwords. As users will not generally suspect a link that is present within the site.
Researchers found that by changing the API endpoint to an attacker controlled address, they can now permanently control the information flow between the victim and the API server.
As per OkCupid spokesperson, Checkmarx had alerted them about a potential security breach in the app. The issue was soon analyzed and resolved. It is believed that this hardly impacted any of their users on any OS.