Love Bug Found in OkCupid Android App

Only days after Infosecurity reported that OkCupid users said their accounts had been hacked, Checkmarx disclosed that the OkCupid Android App actually posed risks because of security failures in MagicLinks. It’s well known that malicious actors love to exploit a good holiday, which puts users at risk on Valentine’s Day. To identify any potential vulnerabilities, researchers dove into the popular Android dating app only to discover that attackers could easily gain access to user information, including personal contact information such as email aliases, names, genders, dates of birth and locations. In addition, researchers found that they could gain access to a user’s dating preferences, such as whether they’re looking to hook up, find new friends, and date short or long term and whether they’re open to non-monogamy. According to researchers, most of the URLs that pass through the app are not vulnerable because OkCupid uses WebView, yet some URLs are designated as MagicLink, which Checkmark describes as opening “inside the main OkCupid WebView, which means that the user has no way of knowing whether its content is legitimate or not. For every MagicLink, what is shown on the screen is just part of the OkCupid application as far as the user knows.”