IAC/Interactivecorp-owned dating service OkCupid has fixed security flaws in its website and apps that could have allowed hackers to access personal data and private messages of the service’s 50 million users.

The vulnerabilities were found and revealed Wednesday by security researchers at Check Point Software Technologies Ltd. and covered a range of sloppy coding. The vulnerabilities discovered could have allowed attackers to expose personally identifiable information of members, perform actions on behalf of the victim and steal sensitive data belonging to the users, including private messages and sexual orientation.

The researchers detailed a three-step attack method to exploit the vulnerabilities that could have been used by hackers to target users. The attack method starts with creating a malicious link containing a targeted payload, followed by either sending the link to the intended target or publishing the link on a public forum for users to click on. Once a victim clicks on the malicious link, the code is executed, giving the hackers access to the victim’s account.

Having discovered the vulnerabilities, the researchers contacted OkCupid first and the dating service fixed them within 48 hours. OkCupid may not be alone, however, in having the same vulnerabilities. “Our research into OkCupid, which is one of the longest-standing and most popular applications in their sector, has led us to raise some serious questions over the security of dating apps,” the researchers noted.

John Kozyrakis, senior security research engineer at electronic design automation company Synopsys Inc., told SiliconANGLE that an attacker would need to distribute a malicious link to users and users would need to click on it, which normally works only when the user is already logged in.

“In this case, the Android app is configured to automatically open OkCupid-related URLs the user clicks on,” Kozyrakis explained. “As such, if an attacker manages to send specially crafted URLs to mobile users (e.g., via a chat application), then upon clicking these links, the OkCupid app would load the link much like a normal web browser would.”

The interesting thing here, he said, is that the OkCupid app is almost always logged into the OkCupid website and is widely used. “Thus, by using the Android app in the attack workflow, the vulnerable user base is increased compared to just launching this attack in a way that only web-app users are vulnerable,” Kozyrakis said.

Ray Kelly, principal security engineer at application security platform provider WhiteHat Security Inc., noted that mobile app developers often do not realize that their apps can be vulnerable to the same exploits as typical websites.

“This demonstrates the importance of not only testing the mobile app for security vulnerabilities but also any backend or linked web servers with a thorough dynamic application security testing assessment,” Kelly said.

Image: OkCupid