‘We identified that it was possible to compromise any account on the application within a 10-minute timeframe’
Critical zero-day vulnerabilities in Gaper, an ‘age gap’ dating app, could be exploited to compromise any user account and potentially extort users, security researchers claim.
The absence of access controls, brute-force protection, and multi-factor authentication in the Gaper app mean attackers could potentially exfiltrate sensitive personal data and use that data to achieve full account takeover within just 10 minutes.
More worryingly still, the attack did not leverage “0-day exploits or advanced techniques and we would not be surprised if this had not been previously exploited in the wild”, said UK-based Ruptura InfoSecurity in a technical write-up published yesterday (February 17).
Despite the apparent gravity of the threat, researchers said Gaper failed to respond to multiple attempts to contact them via email, their only support channel.
GETting personal data
Gaper, which launched in the summer of 2019, is a dating and social networking app aimed at people seeking a relationship with younger or older men or women.
Ruptura InfoSecurity says the app has around 800,000 users, mostly based in the UK and US.
Because certificate pinning was not enforced, the researchers said it was possible to obtain a manipulator-in-the-middle (MitM) position through the use of a Burp Suite proxy.
This enabled them to snoop on “HTTPS traffic and easily enumerate functionality”.
Read more of the latest security vulnerability news
The researchers then set up a fake user profile and used a GET request to access the ‘info’ function, which revealed the user’s session token and user ID.
This allows an authenticated user to query any other user’s data, “providing they know their user_id value” – which is easily guessed since this value is “simply incremented by one each time a new user is created”, said Ruptura InfoSecurity.
“An attacker could iterate through the user_id’s to retrieve an extensive list of sensitive information that could be used in further targeted attacks against all users,” including “email address, date of birth, location and even gender orientation”, they continued.
Alarmingly, retrievable data is also said to include user-uploaded images, which “are stored within a publicly accessible, unauthenticated database – potentially leading to extortion-like situations”.
Covert brute-forcing
Armed with a list of user email addresses, the researchers opted against launching a brute-force attack against the login function, as this “could have potentially locked every user of the application out, which would have caused a huge amount of noise…”.
Instead, security shortcomings in the forgotten password API and a requirement for “only a single authentication factor” offered a more discrete path “to a complete compromise of arbitrary user accounts”.
The password change API responds to valid email addresses with a 200 OK and an email containing a four-digit PIN number sent to the user to enable a password reset.
Observing a lack of rate limiting protection, the researchers wrote a tool to automatically “request a PIN number for a valid email address” before rapidly sending requests to the API containing various four-digit PIN permutations.
Public disclosure
In their attempt to report the issues to Gaper, the security researchers sent three emails to the company, on November 6 and 12, 2020, and January 4, 2021.
Having received no response within 90 days, they publicly disclosed the zero-days in line with Google’s vulnerability disclosure policy.
“Advice to users would be to disable their accounts and ensure that the applications they use for dating and other sensitive actions are suitably secure (at least with 2FA),” Tom Heenan, managing director of Ruptura InfoSecurity, told The Daily Swig.
As of today (February 18), Gaper has still not responded, he added.
The Daily Swig has also contacted Gaper for comment and will update the article if and when we hear back.
RELATED Grindr fined $10m for ‘grave’ GDPR violations by Norwegian privacy watchdog