![]() “In the attack we crafted, the web page simulates a user login page with the OkCupid look and feel, inside the OkCupid application,” researchers at Checkmarx said. An attacker could very simply create a page with a URL containing /l/, and send it to an unsuspecting victim as an internal OkCupid message. Attacks Varying in SeverityĪt the most simple level, this flaw sets up the perfect attack vector for phishing techniques, researchers said. 4, and researchers stressed that users should update as soon as possible. A fix to the application was released Jan. Researchers said that they reached out to OkCupid on Nov. The vulnerability does not have a CVE number regarding CVSS score, Yalon told Threatpost the bug “is critical (maybe even maximal) since it is not hard to implement.” Unfortunately, in this case, the attack would be very hard to identify by an unsuspecting user, so the responsibility of protection is on the vendor.” “Awareness should be raised toward that kind of attack. “Users are used to somewhat suspecting links that arrive by email or messaging apps, but there is false confidence in links that are sent as internal messages in apps,” Erez Yalon, head of security research at Checkmarx, told Threatpost. That means that bad actors could send app users URLs that contain “/l/” and, because it opens within the app, few users would suspect that the links are malicious, researchers said. The flaw arises from the fact that any link containing a specific string, “/l/”, will pass as a MagicLink. However, some URLs are defined by OkCupid as MagicLinks, which are opened and rendered within the app’s WebView. ![]() In order to avoid handling external content, nearly every link that is passed to the OkCupid app is opened and handled by the associated browser (including Chrome, Firefox, etc.). This produces what is called a hybrid app. The vulnerability exists in OkCupid’s Android app, which uses a “WebView,” i.e., a browser bundled inside of a mobile application. Users should, of course, update their app as soon as possible. In the most dire scenario, the flaw could allow bad actors to send daters malicious links with self-replicating malware: “The disruptive potential of this attack is frightening as it is not hard to implement, it is not easy to detect by a typical user, and has high confidentiality, high integrity and high availability impact,” said researchers in a post detailing a proof of concept (PoC) attack for the flaw. ![]() The newly disclosed vulnerability is incredibly easy to exploit, and yet has serious consequences: Attackers can monitor the app’s usage, read all messages and even track the victim’s geographic location, researchers with Checkmarx, who discovered the flaw, said on Thursday. This is separate from the OKCupid account-takeover incident reported earlier in the week, but it does fit the theme of Valentine’s Day, when cybercriminals turn their sights to romance-seekers leading up to the holiday (see below for more on that). A critical flaw in the OkCupid app has been found that could allow a bad actor to steal credentials, launch man-in-the-middle attacks or completely compromise the victim’s application.
0 Comments
Leave a Reply. |