Therefore I reverse engineered two dating apps.

And I also got a zero-click session hijacking as well as other enjoyable weaknesses

Wen this article I reveal a number of my findings throughout the engineering that is reverse of apps Coffee Meets Bagel therefore the League. We have identified a few critical weaknesses throughout the research, each of which have now been reported to your affected vendors.


In these unprecedented times, increasing numbers of people are escaping in to the world that is digital handle social distancing. Over these times cyber-security is more essential than in the past. From my experience that is limited few startups are mindful of security guidelines. The firms in charge of a big number of dating apps are no exclusion. We began this small research study to see exactly how secure the dating apps that are latest are.

Accountable disclosure

All high severity weaknesses disclosed in this article have now been reported to your vendors. Because of the period of publishing, matching patches have already been released, and I also have actually individually confirmed that the repairs come in destination.

I am going to perhaps maybe perhaps not offer details in their proprietary APIs unless appropriate.

The prospect apps

We picked two popular dating apps available on iOS and Android.

Coffee Meets Bagel

Coffee matches Bagel or CMB for brief, established in 2012, is well known for showing users a number that is limited of every single day. They’ve been hacked once in 2019, with 6 million records stolen. Leaked information included a name that is full email, age, enrollment date, and sex. CMB is gathering popularity in the past few years, and makes an excellent prospect with this task.

The League

The tagline when it comes to League application is “date intelligently”. Launched time in 2015, it’s a members-only application, with acceptance and fits according local hookup Detroit MI to LinkedIn and Twitter pages. The application is much more selective and expensive than its options, it is safety on par with all the cost?

Testing methodologies

I personally use a variety of fixed analysis and powerful analysis for reverse engineering. For fixed analysis we decompile the APK, mostly utilizing apktool and jadx. For powerful analysis an MITM is used by me system proxy with SSL proxy capabilities.

A lot of the screening is completed inside a Android os that is rooted emulator Android os 8 Oreo. Tests that need more capabilities are done on a genuine Android os unit operating Lineage OS 16 (according to Android os Pie), rooted with Magisk.

Findings on CMB

Both apps have complete large amount of trackers and telemetry, but i suppose this is certainly simply their state for the industry. CMB has more trackers compared to the League though.

See whom disliked you on CMB using this one simple trick

The API features a pair_action field in almost every bagel item which is an enum because of the after values:

There is an API that given a bagel ID returns the bagel item. The bagel ID is shown into the batch of day-to-day bagels. So if you wish to see if somebody has refused you, you can decide to try the next:

This is certainly a benign vulnerability, however it is funny that this industry is exposed through the API it is unavailable through the software.

Geolocation information drip, although not actually

CMB shows other users’ longitude and latitude up to 2 decimal places, that will be around 1 mile that is square. Luckily this information is maybe not real-time, which is just updated when a person chooses to upgrade their location. (we imagine this is employed because of the application for matchmaking purposes. We have perhaps perhaps maybe not confirmed this theory.)

But, i actually do think this industry could possibly be concealed through the reaction.

Findings on The League

Client-side created verification tokens

The League does one thing pretty unusual inside their login flow:

The UUID that becomes the bearer is completely client-side generated. Even even even Worse, the host will not validate that the bearer value is a real UUID that is valid. It might cause collisions as well as other issues.

I will suggest changing the login model and so the token that is bearer generated server-side and delivered to the client once the host gets the right OTP through the customer.

Telephone number drip through an unauthenticated API

Into the League there is certainly an unauthenticated api that accepts a contact quantity as question parameter. The API leakages information in HTTP reaction code. Once the telephone number is registered, it comes back 200 okay , nevertheless when the quantity isn’t registered, it comes back 418 we’m a teapot . It may be abused in a couple of means, e.g. mapping all of the figures under a place rule to see that is regarding the League and that is perhaps maybe not. Or it may result in prospective embarrassment whenever your coworker realizes you’re on the software.

It has because been fixed whenever bug was reported towards the vendor. Now the API merely returns 200 for several demands.

LinkedIn task details

The League integrates with LinkedIn to demonstrate a user’s job and employer name on the profile. Often it goes a bit overboard collecting information. The profile API returns job that is detailed information scraped from LinkedIn, such as the begin 12 months, end 12 months, etc.

Even though the application does ask user authorization to see LinkedIn profile, an individual most likely will not expect the step-by-step place information to be incorporated into their profile for everybody else to look at. I actually do maybe perhaps perhaps not believe that type or sort of information is essential for the application to operate, and it may oftimes be excluded from profile information.