large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

Android OkCupid bug left daters wide open to hackers

Android users of OkCupid are being urged to update the app after security flaws were found in the app that could allow hackers to steal credentials.

Researchers from Israeli security firm Checkmarx sounded the alarm when they discovered an exploit that could see hackers take advantage of the app’s reliance on external browsers.

When the OkCupid app fetches messages from other users, it does so with its own browser bundled in the app. While the app outsources most links to an external browser, the researchers found it was trivial to create a malicious link that would trick the app into opening it with its own browser, by adding a specific string to the URL. Once opened in the app, a message would then ask the user to enter their log-in details.

Related: Best dating sites

“There was absolutely no way for an unsuspecting user to know that this wasn’t OkCupid, but, instead, a page made to look like OkCupid,” Checkmarx’s head of security research, Erez Yalon, told Consumer Reports.

With those details obtained, a cybercriminal could take advantage of all the data that dating accounts hold – name, email address, location and so forth – for identity theft, bank fraud or stalking. An attacker could even intercept messages between users, reading private messages and tracking their location. “Users wouldn’t know the application had been attacked,” said Yalon. “Everything worked completely normally, so they’d continue to use it.”

The researchers were particularly alarmed, because the exploit could have become self-propagating, automatically sending messages from one OkCupid user to all of their contacts, putting a huge number of users at risk.

Related: Best free antivirus

The good news is that if you’re running the latest version, you’re already protected. Checkmarx disclosed the vulnerability to OkCupid on 15 November 2018, and a fix was rolled out on 4 January 2019. The same exploit doesn’t work in a mobile browser, or the iOS version.

Are you worried by dating app malware? Let us know on Twitter: @TrustedReviews.

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.