OkCupid Vulnerability Creates In-App Phishing Concern

According to multiple IT publications, OkCupid has an in-app vulnerability that may allow hackers to access user data.

The cybersecurity issue was discovered by researchers at Checkmarx in Israel, whose findings were outlined in a recent Threatpost article.

TechGenix reporter Derek Kortepeter says: “The vulnerability (…) results from OkCupid’s ‘Webview’ reading any URL containing the string, ‘/l/’, and passing it as a MagicLink.

“What this means is that the link does not redirect outside of the application, and is opened instead within the hybrid Webview of OkCupid’s Android application.”

His coverage quotes expert Erez Yalon, who explains that users could easily mistake a fake login page for a legitimate request if it was to appear inside the OKC app.

Credentials obtained via a dummy in-app screen would be sent to attackers, who then have the ability to impersonate, bribe or otherwise threaten users.

The vulnerability can also expose location information, which is particularly concerning for reasons of physical safety.

Some OKC users contacted TechCrunch in the lead-up to Valentine’s day with concerns that their accounts had been hacked.

At the time, a company spokesperson said: “There has been no security breach at OkCupid. (…) All websites constantly experience account takeover attempts. There has been no increase in account takeovers on OkCupid.”

Jack’d and Coffee Meets Bagel have both encountered security issues in recent weeks.

Read more here.