April 9, 2021

Fragile Data visibility & Performing actions with respect to the target

Fragile Data visibility & Performing actions with respect to the target

As much as this time, we’re able to launch the OkCupid application that is mobile a deep link, containing a harmful JavaScript rule into the part parameter. The after screenshot shows the ultimate XSS payload which loads jQuery and then lots JavaScript rule through the attacker’s host: (please be aware top of the area offers the XSS payload and also the base section is the identical payload encoded with URL encoding):

The after screenshot demonstrates an HTTP GET demand containing the last XSS payload (section parameter):

The host replicates the payload delivered earlier into the day into the part parameter therefore the injected code that is javaScript performed when you look at the context associated with the WebView.

A script file from the attacker’s server as mentioned before, the final XSS payload loads. The loaded code that is javaScript be properly used for exfiltration and account contains 3 functions:

  1. steal_token – Steals users’ verification token, oauthAccessToken, plus the users’ id, userid. Users’ sensitive information (PII), such as for instance email, is exfiltrated aswell.
  2. steal_data – Steals users’ profile and data that are private choices, users’ characteristics ( ag e.g. responses filled during registration), and much more.
  3. Send_data_to_attacker – send the data collected in functions 1 and 2 into the attacker’s host.

steal_token function:

The big event creates A api call to the host. Users cookies that are delivered to the host considering that the XSS payload is performed when you look at the context regarding the application’s WebView.

The server responds with A json that is vast the users’ id while the verification token also:

Steal information function:

The event produces an HTTP request endpoint.

In line with the information exfiltrated into the function that is steal_token the demand has been delivered because of the verification token and also the user’s id.

The host reacts with the information about the victim’s profile, including e-mail, intimate orientation, height, family members status, etc.

Forward information to attacker function:

The big event produces a POST request into the attacker’s host containing all the details retrieved in the function that is previous (steal_token and steal_data functions).

The screenshot that is following an HTTP POST demand provided for the attacker’s host. The demand human anatomy contains all https://datingrating.net the victim’s painful and sensitive information:

Performing actions with respect to the target normally feasible as a result of exfiltration regarding the victim’s verification token plus the users’ id. These details is employed into the harmful JavaScript rule (in the same way used in the steal_data function).

An attacker can perform actions such as forward messages and alter profile data as a result of the information exfiltrated when you look at the steal_token function:

  1. Authentication token, oauthAccessToken, can be used within the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform account that is full considering that the snacks are protected with HTTPOnly.

the information and knowledge exfiltrated when you look at the steal_token function:

  1. Authentication token, oauthAccessToken, can be used into the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform account that is full considering that the snacks are protected with HTTPOnly.

Online System Vulnerabilities Mis-configured Cross-Origin Site Sharing Policy Results In Fragile Data Publicity

for the duration of the investigation, we now have discovered that the CORS policy for the API host api.OkCupid.com just isn’t configured precisely and any beginning can deliver needs to your host and read its responses that are. The after demand shows a demand delivered the API host through the beginning

The host will not validate the origin properly and reacts using the requested information. More over, the host reaction contains Access-Control-Allow-Origin: and Access-Control-Allow-Credentials: real headers:

Only at that point on, we discovered that people can deliver demands to your API host from our domain without having to be obstructed by the CORS policy.

The moment a target is authenticated on OkCupid application and browsing into the attacker’s internet application, an HTTP GET demand is provided for containing the victim’s snacks. The server’s reaction includes a vast json, containing the victim’s verification token while the victim’s user_id.

We’re able to find a lot more data that are useful the bootstrap API endpoint – sensitive and painful API endpoints when you look at the API host:

The after screenshot shows painful and sensitive PII data exfiltration from the /profile/ API endpoint, utilising the victim’s user_id as well as the access_token:

The screenshot that is following exfiltration associated with victim’s communications through the /1/messages/ API endpoint, utilising the victim’s user_id therefore the access_token:

Summary

The field of online-dating apps is rolling out quickly across the years, and matured to where it is at today because of the change up to a electronic world, specially in the past 6 months – considering that the outbreak of Coronavirus around the world. The “new normal” habits such as as “social distancing” have actually pressed the dating globe to enticount depend on electronic tools for help.

The study provided right here shows the potential risks related to among the longest-established and a lot of popular apps in its sector. The need that is dire privacy and information safety becomes a lot more important whenever plenty personal and intimate information being stored, handled and analyzed in a application. The application and platform is made to create individuals together, but needless to say where individuals get, crooks will observe, trying to find simple pickings.