Posted at 20:27h
Hacker, 22, seeks LTR with your computer data: weaknesses entirely on popular dating app that is okCupid
The after screenshot shows an HTTP GET demand containing the ultimate XSS payload (part parameter):
steal_token вЂ“ Steals usersвЂ™ verification token, oauthAccessToken, in addition to usersвЂ™ id, userid. UsersвЂ™ sensitive information (PII), such as for instance current email address, is exfiltrated too.
steal_data вЂ“ Steals usersвЂ™ profile and personal data, preferences, usersвЂ™ characteristics ( ag e.g. answers filled during registration), and much more.
Send_data_to_attacker вЂ“ send the data collected in functions 1 and 2 to your attackerвЂ™s host.
The big event produces a call that is api the host. Users cookies that are provided for the host considering that the XSS payload is performed into the context associated with the applicationвЂ™s WebView.
The host reacts by having A json that is vast the usersвЂ™ id in addition to verification token too:
Steal information function:
The event creates an HTTP request to graphql endpoint.
On the basis of the information exfiltrated within the steal_token function, the demand has been delivered with all the verification token additionally the userвЂ™s id.
The host reacts with all the current information about the victimвЂ™s profile, including e-mail, intimate orientation, height, household status, etc.
Forward information to attacker function:
The event produces a POST request towards the attackerвЂ™s host containing all the details https://hookupdate.net/geek-dating/ retrieved in the function that is previous (steal_token and steal_data functions).