Skip to main content

How Loneliness Help Me to Find Vulnerability And Virtual Date

 

OkCupid LIKE Restriction Bypass

Somebody said, “Loneliness help you to think differently”. I was abroad for a project and was feeling very bored there as this was my fourth time here at the same place. I was checking my Instagram and I saw an advertisement for “OKCupid” “Dating Deserves Better”. I thought this was a good way for time to pass and to know new humans. I installed the application and started “Right Swipe” as a normal male human.

After some “Right Swipe” the application started asking for money and blocked my “swipe” for 10 hours. Now again I started feeling bored and the question came in my mind. How this application blocked me from swiping? I opened the Burp and started fuzzing the application and what is found is mentioned below.

During my analysis, it was observed that the number of like counts or “likeRemaining” given to the normal user is 50.

So, I started fuzzing and I found that the (/1/apitun/messages/send) POST request is used for sending messages to other users without validating the “LikesRemaining“count. It was also observed that when I sent a message without liking the profile it automatically liked that profile and it didn’t affect the “LikesRemaining” count which means you will LIKE any number of profiles with the normal user (Normal user = who doesn’t pay for it).

For exploiting this issue, I need “Userid”, so for this, I used a GET request (https://www.okcupid.com/match) to get the “userid”.

I made a script that automates the process of capturing the “userid” and sending a message to the users. This was shocking for me that within one day I liked 2000 plus user profiles which increased the probability of profile matching. In two days, I got the sixty-plus match.

“Automation Makes Your Life Easy”

Proof of concept:

Step 1: I logged into the application as “Rishu”. In this scenario, “Rishu” is an attacker. This is only for explanation purposes.

Step 2: In another browser, I logged in as “Victim”.

Step 3: I accessed the “Victim” profile from the “Rishu” account to get the “UserID” of the victim and capture the request and response in Burp (proxy tool).

The “userid” mentioned in POC was the “userid” of the victim that was accessed by an attacker.

Step 4: Now I had the “userid” of the victim. I liked the random user to get the POST request of “message send” (/1/apitun/messages/send) and captured that request in Burp that I used later for attack and same used in the automatic script.

Step 5: Before sending the message to the victim, first I checked the “likeRemaining”count in my balance here it is 43.

Step 6: Again, I checked the “Victim” profile from the “Rishu” profile to confirmed that the profile was not liked by “Rishu” an attacker. “Victim” profile is new so now like on his profile yet.

Step 7: Now I replaced the “userid” with “victim” userid in Step 4 request.

Step 8: After sending the above request the “LIKE” button changed to the “MESSAGE” button. This means that the victim profile successfully liked by an attacker i.e “Rishu”.

Step 9: Now again I checked the “LikesRemaing” count and it was same as above which was 43.

Step 10: Now, I again checked the “Victim” profile for the “LIKE” and it was observed that “Victim” successfully got the like. As “Victim” is also a normal user so not able to see the request.

Impact:

This vulnerability will impact the business and financial as this vulnerability allow a normal user to LIKE any number of users. This vulnerability will fail the business model of this application. This vulnerability allows the attacker to send the LIKE to all the users on this website that means it will increase the possibility of a profile match of the attacker. It causes financial loss as the attacker doesn’t want to buy for sending more like.

I made one Python script to automate this process which directly defines the impact of this vulnerability.

Exploit Code: https://github.com/crazywifi/OKCupid_LIKES_Restriction_Bypass

That “Somebody” is me who said this. :P

When I was writing this blog, I had already virtually dated 100 Plus in 3 days. It was a different experience to know and understand the different thought processes. This was my first experience on a dating site and I understand that this type of site helps you to understand the psychology and the thought process of others. It’s a different world of thought processes.

Being alone and actually sitting with our own thoughts can lead to such growth and realizations that are rare in our everyday busy lives.” — Kourtney Kardashian

Labels:

Comments

Post a Comment

Popular posts from this blog

Free Cybersecurity Certifications

Introduction to Cybersecurity Cybersecurity Essentials Networking Essentials Android Bug Bounty Hunting: Hunt Like a Rat Ethical Hacking Essentials (EHE) Digital Forensics Essentials (DFE) Network Defense Essentials (NDE) Introduction to Dark Web, Anonymity, and Cryptocurrency AWS Skill Builder Introduction to Cybersecurity Building a Cybersecurity Toolkit Cyber Aces Free Cyber Security Training Course Introduction to Information Security Penetration Testing - Discovering Vulnerabilities
Post a Comment
Read more

Web Application Security Testing (WAPT) Interview Questions

Let's Contribute All Together For Creating a Questions Dump What are the vulnerabilities you have to test in the Login form, Payment gateway? What is clickjacking? What is the mitigation of clickjacking? What is CSRF? How to mitigate CSRF? Let's take an example, If a developer implements a CSRF token in a cookie, will it mitigate the CSRF issue? Is it possible to mitigate the CSRF by header? If yes why, if No why? If the data is in JSON format, how you will check the CSRF issue and what are the ways of exploitation? Where to implement the CSRF token and why? If the client doesn't want to change the UI or doesn't want to implement the CSRF tokens, and headers then what mitigation you recommended to the client for CSRF? What is the problem with the per-request token? Is login CSRF possible? Explain login CSRF? Have you ever exploited it? What is the mitigation for login CSRF? Suppose, in an application csrf token is implemented in each request and every request, except th
Post a Comment
Read more

Is your webcam exposed on the internet and everyone enjoying your personal moments? | How to check webcam or security camera is exposed on the internet or not?

Nowadays we start using many technology devices in our homes. Many people are installing CCTV or security cameras in their houses, private rooms, offices, private places, etc for security purposes and monitoring, but many of them don't know how to configure that device securely. So let's talk about CCTV and security cameras only.  What do most CCTV/Security camera users believe? Most users believe that using a strong username and password on a camera administrative page protects them. (Partially true in the case of online cameras) Example: Why it is partially true? It's partially true because you are protecting only the camera administrative page which is also an important part. Still, you are not protecting the protocol used to control streaming media servers (Real-Time Streaming Protocol ( RTSP )). I have seen many online webcams whose administrative page is secured by strong credentials, but they forget to secure the RTSP protocol which gives me access to the streaming
Post a Comment
Read more