Adam Bannister 04 Aug 2021 at 14:13 UTC
Updated: 04 Aug 2021 at 14:28 UTC
The disbelievers could also see the dating profiles of the connected victims
A security vulnerability in the popular OkCupid dating site meant that an attacker could trick users into unknowingly “like” or sending messages to other profiles.
The flaw, which earned its researcher an undisclosed bug bounty reward, has now been fixed.
Subject to tricking victims into clicking a malicious link, the exploit was achieved by combining a cross-site request forgery (CSRF) bug with a “JSON-like confusion” vulnerability, explained Yan zhu, security engineer at Brave, a privacy-focused browser, in a blog post.
“Obviously you can abuse this to match anyone you might trick into clicking a link, or you can spam the link to a group of people to increase your profile ranking in any algorithm.” mystery that OkCupid uses to suggest people, ”Zhu continued.
Keep up to date with the latest news and analysis on security vulnerabilities
“It also occurred to me that if I redirected my website to the CSRF link which automatically sent me a message, I could see the OkCupid profiles of my website visitors who were logged into okcupid.com, which would result in intense web crawling. tool.”
The researcher investigated OkCupid after “checking to see if websites send CSRF tokens alongside requests that require authentication, like sending messages to another user from your account.”
She noticed that messages sent to the dating site were sent via requests without CSRF protection tokens to https://www.okcupid.com/1/apitun/messages/send with a body encoded in JSON.
Zhu then created a webpage that, after some trial and error, managed to send a cross-origin request to OkCupid’s message-sending endpoint on the third attempt.
She tested the exploit against friends who had active OkCupid profiles, explaining that, “There you go, my OkCupid test profile was lulled by a series of messages they didn’t want to send me.”
Zhu joked, “I briefly felt very popular, which was worth it.”
OkCupid, who was alerted to the flaw in April 2021, told the researcher he quickly fixed the flaw.
Query your entries
Zhu also investigated whether authenticated endpoints from other sites similarly accept s with, despite waiting for JSON.
Of the 215 endpoints associated with the top 500 Alexa sites that were looking for requests that contained or, 87 did not return any errors, with many apparently returning JSON responses.
“Most of them are probably not authenticated endpoints and some of them may need to accept non-JSON text, but this suggests to me that developers should be careful when accepting input on endpoints. termination that parse JSON, ”Zhu concluded.
Either way, however, she also noted that setting your browser’s cookie attribute to “Strict” effectively prevents this, most other CSRF attacks.
The daily sip contacted OkCupid for further comment. We will update the article if we receive a response.
YOU MAY ALSO LIKE Security researcher discovers dangerous bug in Chromium, gets $ 15,000 bounty