Therefore I reverse engineered two dating apps.

Photo and video clip drip through misconfigured S3 buckets

Typically for photos or any other asserts, some sort of Access Control List (ACL) could be set up. A common way of implementing ACL would be for assets such as profile pictures

The main element would act as a “password” to get into the file, together with password would simply be offered users whom need use of the image. When it comes to an app that is dating it is whoever the profile is presented to.

We have identified several misconfigured buckets that are s3 The League through the research. All photos and videos are inadvertently made general general public, with metadata such as which user uploaded them as soon as. Ordinarily the software would obtain the pictures through Cloudfront, a CDN on top associated with the S3 buckets. Unfortunately the underlying S3 buckets are severely misconfigured.

Side note: as much as i can inform, the profile UUID is arbitrarily produced server-side whenever profile is done. In order that right part is not likely to be really easy to imagine. The filename is managed by the customer; the host takes any filename. In your client app it’s hardcoded to upload.jpg .

The seller has since disabled listObjects that are public. Nevertheless, we nevertheless think there ought to be some randomness into the key. A timestamp cannot act as key.

IP doxing through website website website website link previews

Link preview is something this is certainly difficult to get appropriate in great deal of messaging apps. You will find typically three techniques for website website link previews:

The League utilizes link that is recipient-side. Whenever a note includes a hyperlink to an image that is external the web link is fetched on user’s unit as soon as the message is seen. This could effortlessly enable a malicious transmitter to submit an external image URL pointing to an attacker managed host, obtaining recipient’s internet protocol address if the message is exposed.

An improved solution may be in order to connect the image into the message if it is delivered (sender-side preview), or have actually the server fetch the image and place it within the message (server-side preview). Server-side previews enables extra anti-abuse scanning. It may be a much better choice, but nonetheless perhaps not bulletproof.

Zero-click session hijacking through talk

The software will often connect the authorization header to demands which do not need verification, such as for instance Cloudfront GET needs. It will likewise happily hand out the bearer token in requests to outside domain names in some situations.

Those types of situations could be the outside image website link in chat messages. We know already the software utilizes recipient-side link previews, and also the demand towards the outside resource is executed in recipient’s context. The authorization header is roofed within the GET demand into the outside image Address. And so the bearer token gets leaked to your outside domain. Whenever a sender that is malicious a graphic website website website link pointing to an assailant managed host, not just do they get recipient’s internet protocol address, nonetheless they additionally obtain victim’s session token. This will be a vulnerability that is critical it permits session hijacking.

Keep in mind that unlike phishing, this assault will not need the target to click the website website website link. Once the message containing the image link is seen, the application immediately leaks the session token towards the attacker.

It appears to be a bug pertaining to the reuse of a worldwide OkHttp customer object. It might be most readily useful if the designers ensure the application just attaches authorization bearer header in demands towards the League API.


I didn’t find any vulnerabilities that are particularly interesting CMB, but that doesn’t suggest CMB is more protected compared to League. (See Limitations and future research). I did so locate a few safety dilemmas within the League, none of that have been specially tough to find out or exploit. I suppose it truly is the mistakes that are common make again and again. OWASP top anybody?

As customers we must be careful with which companies we trust with your information.

Vendor’s reaction

Used to do get a prompt reaction from The League after giving them a message alerting them associated with findings. The S3 bucket setup ended up being swiftly fixed. One other weaknesses had been patched or at the least mitigated within a weeks that are few.

I believe startups could offer bug bounties certainly. It really is a good motion, and even more importantly, platforms like HackerOne offer scientists a appropriate way to the disclosure of weaknesses. Regrettably neither of this two apps into the post has program that is such.

Limits and research that is future

This scientific studies are maybe maybe maybe not comprehensive, and really should never be regarded as a protection review. All of the tests on this page had been done in the community IO degree, and almost no on the customer it self. Particularly, we did not test for remote rule execution or buffer overflow kind weaknesses. In the future research, we’re able to look more in to the protection of this customer applications.

This might be through with powerful analysis, making use of practices such as for example: