Love Bug? Security Flaw Found in OkCupid's Android Version.

    A software vulnerability in the popular dating app could have let hackers take over user accounts and spread malware

    broken okc heart iStock-1067694164

    Valentine’s Day may have you looking for love, but you might want to think twice before firing up your favorite dating app.

    Researchers at the Israeli cybersecurity firm Checkmarx recently found security flaws in the Android version of OkCupid that, among other things, could have let cybercriminals send users missives disguised as in-app messages.

    The flaws have since been fixed. Before that, however, users could have been tricked into losing control of their accounts or had information stolen and then used for identity theft or credit card scams, according to the researchers.

    More on Security and Privacy

    “There was absolutely no way for an unsuspecting user to know that this wasn’t OkCupid, but, instead, a page made to look like OkCupid,” says Erez Yalon, Checkmarx’s head of security research.

    This isn’t the first time Yalon’s team has found security problems in a dating app. Last year, Checkmarx announced that its researchers had found flaws in Tinder’s app that could give hackers a way to see which profile photos a user was looking at and how he or she reacted to those images.

    While both the OkCupid and Tinder security problems have since been fixed, they still stand as a warning to consumers to be wary of all apps, and particularly dating apps, that store a lot of personal information.

    “The OkCupid researchers took advantage of a series of small flaws to wrench open quite a back door,” says Bobby Richter, who leads CR’s privacy and security testing team. “At least the company responded relatively quickly with a fix.”

    Mimicking Pop-Up Apps

    The OkCupid app works together with an outside web browser, such as Chrome or Firefox, to download and display messages from other users. The researchers found that an attacker could create a malicious link that looked legitimate to the app—and once opened in the OkCupid app, the message would ask the user to enter log-in credentials.

    In addition to account data such as names, email addresses, and geographic location, OkCupid accounts tend to include information about the people a given user might be interested in dating, as well as personal photos and details designed to entice potential dates.

    All that information would make it much easier for a cybercriminal to target the user for cybercrimes such as identity theft, insurance or bank fraud, and even stalking.

    “That’s not a good start,” Yalon says. “But, unfortunately, it gets worse.”

    An attacker potentially could have intercepted communications between the OkCupid user and other people, reading private messages and even tracking the user’s location.

    “Users wouldn’t know the application had been attacked,” Yalon says. “Everything worked completely normally, so they’d continue to use it.”

    How You Can Stay Safe

    Yalon confirmed that the problem has been fixed in the Android version, and OkCupid says the same vulnerabilities didn’t affect the iOS and mobile web versions of the platform.

    Yalon says consumers still need to think before sharing personal information through any kind of app. A mobile website can show that such data is encrypted by putting “https” in the URL, but it’s almost impossible to tell whether an app is even encrypting the data sent to and from corporate servers.

    For any mobile app, the following tips, provided by CR’s privacy and security experts, can help you stay safe.

    • Use multifactor authentication. Turn on this setting, which is available for most big online services, including banks and social media platforms. Then, whenever someone tries to log in to your account, they’ll need both the password and a one-time code texted to your phone. This can prevent hackers who guess your password or acquire it from a data breach from accessing your account. (OkCupid doesn’t currently offer multifactor authentication.)
    • Don’t overshare. The more information you volunteer online, the more information can be stolen. “Be stingy with personal information,” says Justin Brookman, Consumer Reports’ director of consumer privacy and technology policy. You don’t need to fill in every school you’ve attended, the name of your hometown, or even your real birthday just because a digital company asks you for those details—even when it promises you dates or discounts on tech products.
    • Keep apps updated. As the OkCupid incident demonstrates, security teams are constantly fixing software vulnerabilities discovered through data breaches or through the efforts of researchers such as Checkmarx. Download app updates automatically and you get the benefit of these fixes. Fail to do that, and you remain needlessly vulnerable.
    • Turn off location tracking in apps. Whether you have an iPhone or an Android device, you can turn off an app’s access to GPS data. Go through the settings for your apps routinely, making sure you’re not providing more data than the app really needs.

    Bree Fowler

    Bree Fowler

    I write about all things "cyber" and your right to privacy. Before joining Consumer Reports, I spent 16 years reporting for The Associated Press. What I enjoy: cooking and learning to code with my kids. I've lived in the Bronx for more than a decade, but as a proud Michigan native, I will always be a die-hard Detroit Tigers fan no matter how much my family and I get harassed at Yankee Stadium. Follow me on Twitter (@BreeJFowler).