Therefore I reverse engineered two apps that are dating.

Therefore I reverse engineered two apps that are dating.

And I also got a zero-click session hijacking along with other enjoyable vulnerabilities

In this article I reveal a number of my findings through the reverse engineering regarding the apps Coffee Meets Bagel in addition to League. We have identified a few critical vulnerabilities through the research, most of which have already been reported to your affected vendors.


During these unprecedented times, greater numbers of individuals are escaping in to the world that is digital deal with social distancing. Over these right times cyber-security is more crucial than ever before. From my restricted experience, extremely few startups are mindful of security guidelines. The firms accountable for a big variety of dating apps are no exclusion. We began this small scientific study to see just just how secure the latest relationship apps are.

Accountable disclosure

All high severity weaknesses disclosed in this article have now been reported to your vendors. By the time of publishing, matching patches have already been released, and I also have actually individually confirmed that the repairs come in destination.

I am going to perhaps perhaps maybe not offer details within their APIs that is proprietary unless.

The prospect apps

I picked two popular apps that are dating on iOS and Android.

Coffee Suits Bagel

Coffee suits Bagel or CMB for brief, established in 2012, is well known for showing users a number that is limited of every single day. They are hacked when in 2019, with 6 million reports taken. Leaked information included a complete name, current email address, age, registration date, and sex. CMB happens to be gaining interest in the last few years, and makes a great prospect because of this task.

The League

The tagline for The League application is intelligently” that is“date. Launched a while in 2015, it really is an app that is members-only with acceptance and matches centered on LinkedIn and Twitter pages. The software is more costly and selective than its options, it is safety on par utilizing the cost?

Testing methodologies

I take advantage of a variety of fixed analysis and analysis that is dynamic reverse engineering. For fixed analysis we decompile the APK, mostly utilizing apktool and jadx. For powerful analysis i personally use an MITM system proxy with SSL proxy capabilities.

A lot of the assessment is completed in a very Android that is rooted emulator Android os 8 Oreo. Tests that need more capabilities are done on a genuine Android os device lineage that is running 16 (according to Android os Pie), rooted with Magisk.

Findings on CMB

Both apps have great deal of trackers and telemetry, but i suppose this is certainly simply hawaii for the industry. CMB has more trackers compared to the League though.

See whom disliked you on CMB with this specific one trick that is simple

The API includes a pair_action field in every bagel item and it’s also an enum aided by the after values:

There is certainly an API that offered a bagel ID returns the bagel item. The bagel ID is shown within the batch of day-to-day bagels. Therefore you, you could try the following if you want to see if someone has rejected:

It is a vulnerability that is harmless however it is funny that this industry is exposed through the API but is unavailable through the application.

Geolocation information drip, not really

CMB shows other users’ longitude and latitude up to 2 decimal places, which can be around 1 mile that is square. Luckily this info is maybe maybe maybe not real-time, which is just updated whenever a person chooses to upgrade their location. (we imagine this can be used because of the software for matchmaking purposes. I’ve maybe perhaps not confirmed this hypothesis

Nonetheless, i really do think this industry might be concealed through the reaction.

Findings on The League

Client-side created verification tokens

The League does something pretty unusual within their login flow:

The UUID that becomes the bearer is completely client-side generated. even Worse, the host will not validate that the bearer value is a genuine UUID that is valid. It may cause collisions as well as other dilemmas.

I suggest changing the login model so that the bearer token is created server-side and provided for the client after the host gets the proper OTP through the customer.

Contact number drip with an unauthenticated API

Within the League there is certainly an unauthenticated api that accepts a phone quantity as question parameter. The API leakages information in HTTP reaction code. If the contact number is registered, it comes back 200 okay , nevertheless when the true quantity is certainly not registered, it comes back 418 we’m a teapot . It may be mistreated in a ways that are few e.g. mapping all of the figures under a place rule to see that is regarding the League and that is perhaps maybe perhaps not. Or it may result in prospective embarrassment whenever your coworker realizes you’re on the application.

It has because been fixed if the bug ended up being reported into the vendor. Now the API merely returns 200 for several demands.

LinkedIn task details

The League integrates with LinkedIn showing a user’s manager and task name on the profile. Sometimes it goes a bit overboard collecting information. The profile API comes back job that is detailed information scraped from LinkedIn, just like the begin 12 months, end 12 months, etc.

As the software does ask user authorization to learn LinkedIn profile, the consumer most likely will not expect the position that is detailed become a part of their profile for everybody else to look at. I actually do maybe maybe maybe not believe that form of info is required for the software to work, and it will oftimes be excluded from profile information.