Security researchers warn of critical zero-day flaws in Gaper dating app
Adam Bannister February 18, 2021 at 13:08 UTC
Updated: February 18, 2021 at 13:34 UTC
“We have identified that it is possible to compromise any account on the app within 10 minutes”
Critical zero-day vulnerabilities in Gaper, an “age” dating app, could be exploited to compromise any user account and potentially extort users, security researchers say.
The lack of access control, Brute force Protection and multi-factor authentication in the Gaper app means that attackers could potentially exfiltrate sensitive personal data and use that data to gain a full takeover of the account in just 10 minutes.
More worryingly, the attack did not exploit “0-day exploits or advanced techniques and we would not be surprised if this had not been previously exploited in the wild,” Kingdom-based Ruptura InfoSecurity said. – United in a press release. technical writing published yesterday (February 17).
Despite the apparent severity of the threat, researchers said Gaper had not responded to multiple attempts to contact them via email, their only channel for support.
OBTAIN personal data
Gaper, who spear in the summer of 2019, is a dating and social networking app for people looking for a relationship with younger or older men or women.
According to Ruptura InfoSecurity, the app has around 800,000 users, mostly based in the UK and US.
Since certificate pinning was not enforced, the researchers said it was possible to achieve a Middle Manipulator (MitM) position through the use of a Burp Suite proxy.
This allowed them to spy on “HTTPS traffic and easily list features.”
The researchers then created a fake user profile and used a GET request to access the “info” function, which revealed the user’s session token and user ID.
This allows an authenticated user to query any other user’s data, “provided they know their user_id value” – which is easy to guess since this value is “simply incremented by one each time a new user is created, ”said Ruptura InfoSecurity.
“An attacker could browse user_id to retrieve a long list of sensitive information that could be used in other targeted attacks against all users” including “email address, date of birth, location and even sexual orientation, ”they continued.
Alarmingly, the recoverable data would also include user uploaded images, which “are stored in a publicly accessible and unauthenticated database – potentially leading to extortion-type situations.”
Secret brute force
Armed with a list of user email addresses, the researchers chose not to launch a brute force attack on the login feature, as this “could potentially have locked out all users of the app, causing a tremendous amount of noise…”.
Instead, the security holes in the Forgot Password API and the “one-factor authentication” requirement offered a more low-key path “to complete compromise of arbitrary user accounts.”
The the password change API responds to valid email addresses with a 200 OK and an email containing a four-digit PIN code sent to the user to enable a password reset.
Observing a lack of throughput limiting protection, researchers wrote a tool to “automatically request a PIN for a valid email address” before quickly sending API requests containing various four-digit PIN permutations. .
In their attempt to report the issues to Gaper, security researchers sent the company three emails, on November 6 and 12, 2020, and January 4, 2021.
Having received no response within 90 days, they publicly disclosed the zero days in accordance with Google Vulnerability Disclosure Policy.
“The advice for users would be to deactivate their accounts and ensure that the apps they use for dating and other sensitive actions are properly secured (at least with 2FA),” said Tom Heenan, Managing Director of Ruptura InfoSecurity . The daily sip.
To this day (February 18), Gaper has still not responded, he added.
The daily sip also contacted Gaper for comment and will update the article if and when we have a response.