Zero-day vulnerabilities in dating app expose user’s sensitive data

A set of zero-day vulnerabilities in Gaper, a dating app with a special focus on users’ age, would allow threat actors to illegally access any account for malicious purposes. Researchers report that Gaper lacks any access control mechanism, whether multi-factor authentication or brute force attack protection, which poses a serious security risk to users.

Gaper was released in 2019 and caught the attention of thousands of users, as it was intended for those who wanted a relationship with someone older or younger. At this moment the application has about 800 thousand users, mainly in the United States and the United Kingdom.  

The report, presented by British security firm Ruptura InfoSecurity, mentions that this attack does not even require advanced zero-day flaw exploitation techniques: “We would not be surprised if this attack has already been actively deployed, which would take just about 10 minutes,” experts say. While the company tried to submit its report to Gaper developers, so far they have not gotten any response.

The main issue has to do with application security certificates, whose handling allows malicious hackers to deploy a Man-in-The-Middle (MiTM) condition using a Burp Suite proxy: “This way, threat actors can review users’ HTTPS traffic and list functionality with ease,” the report says.

At that time the researchers created a fake profile and sent a GET request to access the “information” function, where they obtained the login token and identification of some users, allowing to consult any other profile just by knowing the value of “user_id”, which is easily guessable because the application simply increases its value by one each time a new user is registered.

“Attackers could retrieve an extensive list of sensitive information that could be used to deploy sophisticated phishing attacks, as they could access sensitive details such as date of birth, place of residence, and even sexual orientation,” the researchers add. Cybercriminals could even access intimate photos of users, putting them at risk of extortion.

For their demonstration of the attack, investigators decided not to launch a brute force attack, as this could have led to massive account blockade. Instead they abused Gaper’s poor security practices for the engagement of certain accounts.

As mentioned above, the report has already been sent to Gaper but the company has not issued any responses, so users are advised to disable their accounts at least until Gaper announces that these failures have already been fixed.