Therefore I reverse engineered two apps that are dating.

Therefore I reverse engineered two apps that are dating.

And I also got a zero-click session hijacking along with other enjoyable weaknesses

On this page I reveal a few of my findings through the reverse engineering regarding most beautiful asian woman the apps Coffee Meets Bagel while the League. We have identified a few critical weaknesses throughout the research, every one of which have now been reported towards the affected vendors.


Within these unprecedented times, greater numbers of individuals are escaping in to the electronic world to deal with social distancing. Over these times cyber-security is more crucial than in the past. From my restricted experience, really few startups are mindful of security recommendations. The businesses accountable for a big selection of dating apps are not any exclusion. We started this small research study to see exactly just how secure the dating apps that are latest are.

Accountable disclosure

All severity that is high disclosed in this article have now been reported into the vendors. Because of the time of publishing, matching patches have already been released, and I also have individually verified that the repairs come in destination.

I am going to maybe perhaps maybe not offer details in their APIs that is proprietary unless.

The candidate apps

We picked two popular dating apps available on iOS and Android os.

Coffee Suits Bagel

Coffee suits Bagel or CMB for brief, established in 2012, is well known for showing users a restricted quantity of matches every single day. They’ve been hacked when in 2019, with 6 million records taken. Leaked information included a complete name, current email address, age, enrollment date, and sex. CMB happens to be gathering popularity in the past few years, and makes a beneficial prospect because of this task.

The League

The tagline when it comes to League application is “date intelligently”. Launched a while in 2015, it really is an app that is members-only with acceptance and fits according to LinkedIn and Twitter pages. The software is much more costly and selective than its alternatives, it is protection on par using the cost?

Testing methodologies

I prefer a mixture of fixed analysis and analysis that is dynamic reverse engineering. For fixed analysis I decompile the APK, mostly utilizing apktool and jadx. For powerful analysis an MITM is used by me system proxy with SSL proxy capabilities.

Most of the evaluating is performed in a very Android os that is rooted emulator Android os 8 Oreo. Tests that want more capabilities are done on a proper Android os unit operating Lineage OS 16 (according to Android os Pie), rooted with Magisk.

Findings on CMB

Both apps have complete large amount of trackers and telemetry, but i assume this is certainly simply their state associated with industry. CMB has more trackers compared to the League though.

See whom disliked you on CMB with this specific one simple trick

The API includes a pair_action field in almost every bagel item and it’s also an enum because of the after values:

There is an API that offered a bagel ID returns the object that is bagel. The bagel ID is shown when you look at the batch of day-to-day bagels. Therefore should you want to see if some one has refused you, you might try the next:

This really is a safe vulnerability, however it is funny that this industry is exposed through the API it is unavailable through the application.

Geolocation information drip, although not actually

CMB shows other users’ longitude and latitude up to 2 decimal places, that is around 1 square mile. Happily this info is perhaps maybe maybe not real-time, and it’s also just updated whenever a person chooses to upgrade their location. (we imagine this can be used by the application for matchmaking purposes. We have maybe perhaps not confirmed this theory.)

But, i really do think this industry could possibly be concealed through the reaction.

Findings on The League

Client-side produced verification tokens

The League does one thing pretty unusual inside their login flow:

The UUID that becomes the bearer is completely client-side generated. even even Worse, the host will not validate that the bearer value is a genuine legitimate UUID. It may cause collisions as well as other issues.

I would suggest changing the login model and so the token that is bearer created server-side and delivered to the client when the host gets the appropriate OTP through the customer.

Contact number drip through an unauthenticated API

Into the League there is certainly an unauthenticated api that accepts a contact quantity as question parameter. The API leakages information in HTTP reaction code. Once the contact number is registered, it comes back 200 okay , nevertheless when the quantity isn’t registered, it comes back 418 we’m a teapot . It might be mistreated in a ways that are few e.g. mapping all the figures under a place rule to see who’s regarding the League and that is perhaps maybe perhaps not. Or it could result in possible embarrassment whenever your coworker realizes you’re regarding the application.

It has because been fixed if the bug ended up being reported to your merchant. Now the API merely returns 200 for many demands.

LinkedIn task details

The League integrates with LinkedIn to exhibit a user’s job and employer name on the profile. Often it goes a bit overboard collecting information. The profile API comes back step-by-step work position information scraped from LinkedIn, just like the begin 12 months, end 12 months, etc.

Whilst the application does ask individual authorization to learn LinkedIn profile, an individual probably will not expect the position that is detailed become a part of their profile for everybody else to see. I actually do perhaps perhaps perhaps not believe that form of info is required for the application to work, and it will oftimes be excluded from profile data.

Recent Posts

Recent Comments