Don't Miss

Fragile Data visibility & Performing actions with respect to the target

By on March 31, 2021
Advertisement


Fragile Data visibility & Performing actions with respect to the target

As much as this aspect, we’re able to launch the OkCupid mobile application utilizing a deep website website website link, containing a harmful JavaScript rule into the part parameter. The screenshot that is following the last XSS payload which loads jQuery and then lots JavaScript rule through the attacker’s host: (please be aware the top of part provides the XSS payload while the base section is the identical payload encoded with URL encoding):

The screenshot that is following an HTTP GET demand containing the last XSS payload (part parameter):

The host replicates the payload delivered previous when you look at the part parameter in addition to injected JavaScript code is performed into the context associated with the WebView.

Advertisement


A script file from the attacker’s server as mentioned before, the final XSS payload loads. The loaded JavaScript code will be utilized for exfiltration and account contains 3 functions:

  1. steal_token – Steals users’ verification token, oauthAccessToken, additionally the users’ id, userid. Users’ sensitive information (PII), such as for instance current email address, is exfiltrated aswell.
  2. steal_data – Steals users’ profile and personal information, choices, users’ characteristics ( ag e.g. responses filled during registration), and much more.
  3. Send_data_to_attacker – send the data collected in functions 1 and 2 into the attacker’s host.

steal_token function:

The big event produces A api call to the host. Users’ snacks are provided for the host because the XSS payload is performed into the context for the application’s WebView.

The host reacts by having a vast json containing the users’ id in addition to verification token too:

Steal information function:

The event creates an HTTP request endpoint.

On the basis of the information exfiltrated into the function that is steal_token the demand will be delivered utilizing the verification token while the user’s id.

The host reacts while using the information about the victim’s profile, including e-mail, intimate orientation, height, household status, etc.

Forward information to attacker function:

The big event produces a POST request towards the attacker’s host containing all the details retrieved in the past function telephone calls (steal_token and steal_data functions).

The screenshot that is following an HTTP POST demand provided for the attacker’s server. The demand human anatomy contains all the victim’s information that is sensitive

Performing actions with respect to the target can also be feasible as a result of exfiltration for the victim’s verification token additionally the users’ id. These records can be used when you look at the harmful JavaScript rule (just like used in the steal_data function).

An attacker can perform actions such as forward messages and alter profile data because of the information exfiltrated into the function that is steal_token

  1. Authentication token, oauthAccessToken, can be used within the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform complete account takeover because the snacks are protected with HTTPOnly.

the information and knowledge exfiltrated when sugardaddie profiles you look at the steal_token function:

  1. Authentication token, oauthAccessToken, can be used into the authorization header (bearer value).
  2. Consumer id, userId, is added as needed.

Note: An attacker cannot perform account that is full considering that the snacks are protected with HTTPOnly.

Internet System Vulnerabilities Mis-configured Cross-Origin Site Sharing Policy Results In Fragile Information Publicity

for the duration of the study, we now have discovered that the CORS policy associated with API host api.OkCupid.com is certainly not configured correctly and any beginning can deliver needs towards the host and read its responses that are. The request that is following a demand delivered the API host through the beginning

The server doesn’t precisely validate the foundation and reacts aided by the required information. Furthermore, the host response contains Access-Control-Allow-Origin: and Access-Control-Allow-Credentials: real headers:

Only at that true point on, we knew we can deliver demands into the API host from our domain without having to be obstructed because of the CORS policy.

The moment a target is authenticated on OkCupid browsing and application to your attacker’s internet application, an HTTP GET demand is provided for containing the victim’s snacks. The server’s reaction has A json that is vast containing the victim’s verification token while the victim’s user_id.

We’re able to find a lot more of good use information in the bootstrap API endpoint – sensitive and painful API endpoints into the API host:

The screenshot that is following painful and sensitive PII data exfiltration from the /profile/ API endpoint, utilising the victim’s user_id while the access_token:

The after screenshot shows exfiltration for the victim’s communications through the /1/messages/ API endpoint, utilizing the victim’s user_id and also the access_token:

Summary

The field of online-dating apps is rolling out quickly over the years, and matured to where it is at today utilizing the change up to a electronic globe, particularly in the past 6 months – because the outbreak of Coronavirus around the world. The “new normal” habits such as as “social distancing” have actually forced the dating globe to entidepend count on electronic tools for help.

The study offered right right here shows the potential risks connected with one of several longest-established & most popular apps in its sector. The need that is dire privacy and information protection becomes a lot more important whenever plenty personal and intimate information being stored, handled and analyzed within an software. The platform and app is made to create individuals together, but needless to say where individuals get, crooks will observe, in search of effortless pickings.

Leave a Reply

Your email address will not be published. Required fields are marked *