Security Flaw OkCupid Android Version | Dating App

Bree Fowler

Updated February 14, 2019 at 9:00 AM

Love Bug? Security Flaw Found in OkCupid's Android Version.

Consumer Reports has no financial relationship with advertisers on this site.

Valentine’s Day may have you looking for love, but you might want to think twice before firing up your favorite dating app.

Researchers at the Israeli cybersecurity firm Checkmarx recently found security flaws in the Android version of OkCupid that, among other things, could have let cybercriminals send users missives disguised as in-app messages.

The flaws have since been fixed. Before that, however, users could have been tricked into losing control of their accounts or had information stolen and then used for identity theft or credit card scams, according to the researchers.

“There was absolutely no way for an unsuspecting user to know that this wasn’t OkCupid, but, instead, a page made to look like OkCupid,” says Erez Yalon, Checkmarx’s head of security research.

This isn’t the first time Yalon’s team has found security problems in a dating app. Last year, Checkmarx announced that its researchers had found flaws in Tinder’s app that could give hackers a way to see which profile photos a user was looking at and how he or she reacted to those images.

While both the OkCupid and Tinder security problems have since been fixed, they still stand as a warning to consumers to be wary of all apps, and particularly dating apps, that store a lot of personal information.

“The OkCupid researchers took advantage of a series of small flaws to wrench open quite a back door,” says Bobby Richter, who leads CR’s privacy and security testing team. “At least the company responded relatively quickly with a fix.”

Mimicking Pop-Up Apps

The OkCupid app works together with an outside web browser, such as Chrome or Firefox, to download and display messages from other users. The researchers found that an attacker could create a malicious link that looked legitimate to the app—and once opened in the OkCupid app, the message would ask the user to enter log-in credentials.

In addition to account data such as names, email addresses, and geographic location, OkCupid accounts tend to include information about the people a given user might be interested in dating, as well as personal photos and details designed to entice potential dates.

All that information would make it much easier for a cybercriminal to target the user for cybercrimes such as identity theft, insurance or bank fraud, and even stalking.

“That’s not a good start,” Yalon says. “But, unfortunately, it gets worse.”

An attacker potentially could have intercepted communications between the OkCupid user and other people, reading private messages and even tracking the user’s location.

“Users wouldn’t know the application had been attacked,” Yalon says. “Everything worked completely normally, so they’d continue to use it.”

How You Can Stay Safe

Yalon confirmed that the problem has been fixed in the Android version, and OkCupid says the same vulnerabilities didn’t affect the iOS and mobile web versions of the platform.

Yalon says consumers still need to think before sharing personal information through any kind of app. A mobile website can show that such data is encrypted by putting “https” in the URL, but it’s almost impossible to tell whether an app is even encrypting the data sent to and from corporate servers.

For any mobile app, the following tips, provided by CR’s privacy and security experts, can help you stay safe.

Use multifactor authentication. Turn on this setting, which is available for most big online services, including banks and social media platforms. Then, whenever someone tries to log in to your account, they’ll need both the password and a one-time code texted to your phone. This can prevent hackers who guess your password or acquire it from a data breach from accessing your account. (OkCupid doesn’t currently offer multifactor authentication.)
Don’t overshare. The more information you volunteer online, the more information can be stolen. “Be stingy with personal information,” says Justin Brookman, Consumer Reports’ director of consumer privacy and technology policy. You don’t need to fill in every school you’ve attended, the name of your hometown, or even your real birthday just because a digital company asks you for those details—even when it promises you dates or discounts on tech products.
Keep apps updated. As the OkCupid incident demonstrates, security teams are constantly fixing software vulnerabilities discovered through data breaches or through the efforts of researchers such as Checkmarx. Download app updates automatically and you get the benefit of these fixes. Fail to do that, and you remain needlessly vulnerable.
Turn off location tracking in apps. Whether you have an iPhone or an Android device, you can turn off an app’s access to GPS data. Go through the settings for your apps routinely, making sure you’re not providing more data than the app really needs.

Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2019, Consumer Reports, Inc.

Yahoo Sports
Timberwolves coach Chris Finch calls Jamal Murray's heat-pack toss on court 'inexcusable and dangerous'
Murray made a bad night on the court worse during a moment of frustration on the bench.
Yahoo Sports
Former NBA guard Darius Morris dies at 33
Former NBA guard Darius Morris has died at the age of 33. He played for five teams during his four NBA seasons. Morris played college basketball at Michigan.
Yahoo Finance
The FDIC change that leaves wealthy bank depositors with less protection
Affluent Americans may want to double-check how much of their bank deposits are protected by government-backed insurance. The rules governing trust accounts just changed.
Yahoo Finance
Former House Speaker Paul Ryan says he’s not voting for Trump : 'Character is too important'
Ryan says he would be writing in a Republican candidate instead of voting for Donald Trump.
Yahoo Sports
Ranking the best situations for the rookie quarterbacks: Start with Michael Penix in Atlanta at No. 1
It’s key to note that we’re not saying the “best team” or “best roster.” Instead, we’re talking about the best confluence of factors that can outline a path for survival and then success.
Yahoo Sports
Phil Mickelson on the majors: 'What if none of the LIV players played?'
Phil Mickelson hints that big changes could be coming to LIV Golf's rosters, and the majors will need to pay attention.
Yahoo Sports
Heat's Pat Riley unhappy with Jimmy Butler's remarks on Celtics and Knicks, implies he needs to play more
Miami Heat president Pat Riley rebuked comments Jimmy Butler made about the Boston Celtics and New York Knicks, while also implying that his star needs to play more.
Yahoo Sports
Blockbuster May trade by Padres, MVP Ohtani has arrived, Willie Mays’ 93rd birthday & weekend recap
Jake Mintz & Jordan Shusterman discuss the Padres-Marlins trade that sent Luis Arraez to San Diego, as well as recap all the action from this weekend in baseball and send birthday wishes to hall-of-famer Willie Mays.
Yahoo Sports
NBA playoffs: Officials admit they flubbed critical kick-ball call in controversial final minute of Pacers-Knicks
Tuesday's last-2-minute report should be interesting.
Yahoo Finance
Social Security just passed Medicare as the government's most pressing insolvency risk
An annual government report offered a glimmer of good news for Social Security and a jolt of good news for Medicare even as both programs continue to be on pace to run dry next decade.
Yahoo Sports
No one was airing Angel Reese and Kamilla Cardoso's WNBA preseason debuts, so an X user livestreamed it
The quality was choppy, but it was better than what the WNBA had.
Yahoo Sports
The Scorecard: Andy Pages looks set to go down as one of the best fantasy baseball waiver wire pickups of 2024
Fantasy baseball analyst Dalton Del Don delivers his latest batch of hot takes as we enter Week 6 of the season.
Yahoo Sports
NBA playoffs: Predictions for Celtics-Cavaliers and every second-round series
Our NBA staff makes its picks for Knicks-Pacers and every second-round series.
Yahoo Sports
Ex-Ole Miss QB and Denver Broncos draft pick Chad Kelly suspended at least nine games by CFL
Kelly allegedly harassed a female strength and conditioning coach who sued him and the Toronto Argonauts in February.
Yahoo Sports
NFL Power Rankings, draft edition: Did Patriots fix their offensive issues?
Which teams did the best in the NFL Draft?
Yahoo Celebrity
Dwayne Johnson is difficult to work with, report claims. The star has 'mountains of public goodwill' to offset negativity, expert says.
Once named the “Most Likable Person in the World,” the actor is under fire in a new report, accused of showing up to work late on the film “Red One,” irritating the crew and causing the budget to balloon.
Yahoo Sports
Daryl Morey vows 'a lot of change' around Joel Embiid, Tyrese Maxey: Who will 76ers target this offseason?
The window for Philadelphia is now, and it's up to Morey this offseason to maximize it.
Yahoo Sports
Victor Wembanyama wins NBA Rookie of the Year via unanimous vote after delivering on unprecedented hype
Victor Wembanyama did everything for the Spurs as a rookie.
Autoblog
Edmunds bought a Fisker Ocean, warns others not to make the same mistake
Edmunds bought a Fisker Ocean and details the highs and lows of ownership while warning others not to make the same mistake.
Yahoo Sports
Formula 1: Miami Grand Prix sends cease and desist letter to prevent Donald Trump fundraiser during race
Race organizers say they'll revoke a Trump fundraiser's suite license if he holds an event for the former president on Sunday at the race.

News

Life

Entertainment

Finance

Sports

New on Yahoo

Security Flaw OkCupid Android Version | Dating App

Mimicking Pop-Up Apps

How You Can Stay Safe

Recommended Stories

Timberwolves coach Chris Finch calls Jamal Murray's heat-pack toss on court 'inexcusable and dangerous'

Former NBA guard Darius Morris dies at 33

The FDIC change that leaves wealthy bank depositors with less protection

Former House Speaker Paul Ryan says he’s not voting for Trump : 'Character is too important'

Ranking the best situations for the rookie quarterbacks: Start with Michael Penix in Atlanta at No. 1

Phil Mickelson on the majors: 'What if none of the LIV players played?'

Heat's Pat Riley unhappy with Jimmy Butler's remarks on Celtics and Knicks, implies he needs to play more

Blockbuster May trade by Padres, MVP Ohtani has arrived, Willie Mays’ 93rd birthday & weekend recap

NBA playoffs: Officials admit they flubbed critical kick-ball call in controversial final minute of Pacers-Knicks

Social Security just passed Medicare as the government's most pressing insolvency risk

No one was airing Angel Reese and Kamilla Cardoso's WNBA preseason debuts, so an X user livestreamed it

The Scorecard: Andy Pages looks set to go down as one of the best fantasy baseball waiver wire pickups of 2024

NBA playoffs: Predictions for Celtics-Cavaliers and every second-round series

Ex-Ole Miss QB and Denver Broncos draft pick Chad Kelly suspended at least nine games by CFL

NFL Power Rankings, draft edition: Did Patriots fix their offensive issues?

Dwayne Johnson is difficult to work with, report claims. The star has 'mountains of public goodwill' to offset negativity, expert says.

Daryl Morey vows 'a lot of change' around Joel Embiid, Tyrese Maxey: Who will 76ers target this offseason?

Victor Wembanyama wins NBA Rookie of the Year via unanimous vote after delivering on unprecedented hype

Edmunds bought a Fisker Ocean, warns others not to make the same mistake

Formula 1: Miami Grand Prix sends cease and desist letter to prevent Donald Trump fundraiser during race