[HN Gopher] How to boost your popularity on OkCupid using CSRF a... ___________________________________________________________________ How to boost your popularity on OkCupid using CSRF and a JSON type confusion Author : flipnotic Score : 158 points Date : 2021-08-02 17:20 UTC (5 hours ago) (HTM) web link (blog.azuki.vip) (TXT) w3m dump (blog.azuki.vip) | mellosouls wrote: | Reminder of the classic "Mathematician Hacks OkCupid" story from | a few years back: | | https://www.wired.com/2014/01/how-to-hack-okcupid/ | hmsimha wrote: | I believe this also requires that OKCupid has not set the | 'SameSite=lax' attribute on their cookies, which is good practice | as well; the browser won't send the user's cookies on cross- | origin POST, PUT, PATCH, or DELETE requests when this attribute | is set. | | So this exploit is really the confluence of failing to follow 2 | standard security practices, as well as another unfortunate | configuration quirk: | | - Failing to set SameSite=lax on their session cookie attribute - | Not using a CSRF token to authenticate on unsafe HTTP actions - | Not checking the content-type of API requests (though I'm not | sure to what extent this is considered bad practice) | simonw wrote: | I thought most modern browsers behave as if SameSite=Lax | automatically these days. Were OkCupid deliberately setting | SameSite=None on their cookies? | k__ wrote: | Wasn't lax just for static assets like images that are linked | in external HTML? | ctoth wrote: | > It also occurred to me that if I redirected my website to the | CSRF link that automatically sent a message to me, I could see | the OkCupid profiles of my website visitors who were logged into | okcupid.com, which would make for an intense web analytics tool. | | Ouch. | Teever wrote: | I learned recently that if someone forwards you the email that | OKC sends them alerting them to a new message and you click on | it you gain passwordless access to their account. | | I contacted OKC about this but they said that it was not an | issue. | simonw wrote: | That's shocking! Really surprised that they don't see this as | an issue, I would expect that it's trivial to social engineer | someone into forwarding you one of those emails. | AnIdiotOnTheNet wrote: | Maybe, but how much value is there in taking over people's | OKCupid account? | Johnny555 wrote: | If there's no value or downside to someone taking over my | OKCupid account, why have a password on it in the first | place? | yunohn wrote: | This is a horrible take, obviously there's different | levels of security and risk associated with everything. | Johnny555 wrote: | A horrible take on _how much value is there in taking | over people 's OKCupid account_? | | If there's literally no value in taking it over, then why | password protect it in the first place? | | I have an online photo album and while I _could_ password | protect it and share the password with people that I want | to share it with, there 's very little value (perhaps | there's some small social engineering value) in | protecting it. If there's no value in exposing it, why | bother password protecting it? | AnIdiotOnTheNet wrote: | It's a bad take because you made it sound like I said it | was worthless, when all I implied was that it isn't worth | much. There's a difference. | Johnny555 wrote: | I took your reply as meaning it has so little value that | there's no reason to or even harm if someone takes it | over. | | Did you mean that it's valuable enough that someone | should protect it, but shouldn't bother protecting it too | much (like, anyone with the URL should have access to it) | since it has little value? I'm not sure I really | understand the nuance, but I'd be awfully surprised if I | forwarded an email to someone from OKCupid and it gave | them passwordless access to the account. | rootsudo wrote: | You'd be surprised, alot - but I'd wager it's easier to | just save the photos and open up your own honeypot that | way. | | But the messages could be interesting. | rendall wrote: | Someone I knew once sent me an urgent direct message over | Twitter that they were stranded in the City of London and | needed me to wire money. Phone gone, computer stolen, | they could only communicate by Twitter. Of course it | wasn't actually my friend, but a 2-bit hacker. But if | they were to collect enough accounts and message enough | people, someone might bite. Maybe someone would give up | something truly valuable if they really thought it was | someone they cared about, a long lost son, or a pined-for | ex. | kfrzcode wrote: | The value is relative to motivation, I'd posit | srmarm wrote: | There is a huge market in romance scams and people lose | huge amounts to it, most people are clever enough to spot | them but many aren't. Now if you're able to intercept a | genuine conversation it'd give you a good advantage. | | Even at a lower level, just sending a bunch of messages | asking for money for a cab/train/airfare might yield good | returns. People let their guard down when there's a | possibility of getting laid. | nicoburns wrote: | This isn't ideal, but why would anyone forward this kind of | email? | entropicdrifter wrote: | The email itself could be intercepted, could it not? | thih9 wrote: | I guess when an adversary knows about the feature and uses | some social engineering against the user? | EpicEng wrote: | In order to get access to their... OkCupid account? Not | sure that I care. | kfrzcode wrote: | Everyone's got something to hide somewhere. | wizzwizz4 wrote: | Imagine https://www.wired.com/2017/01/grinder-lawsuit- | spoofed-accoun..., without the spoofing. | Johnny555 wrote: | You might care if you were married and using OKCupid to | find a girlfriend. | | You may say that getting exposed for trying to have an | affair is a good thing, but that's a still a reason why | someone may care how secure their OKCupid activity is. | Johnny555 wrote: | I might forward it to a friend to ask if that's the girl he | dated last week, without meaning to give him passwordless | access to my account. | DJBunnies wrote: | Lots of sites do this, it's a feature for the majority of | users who prefer convenience over security. | [deleted] | cmckn wrote: | I find that passwordless links usually expire after 1 use | or some amount of time; generating eternal alt-passwords | for an OkCupid account in every message notification email | seems pretty heinous. | AlchemistCamp wrote: | Gmail now pretty much breaks single-use tokens in links | because it consumes them itself after a user clicks on | them, but before redirecting the user to the site. | | It's an unfortunate change that has made single-use links | a worse UX and less popular in the last couple of years. | gbl08ma wrote: | This sounds like it would break a bunch of email address | verification systems, password recovery links and the | like. I wonder if indeed it does break them, but since it | only affects smaller websites nobody seems to care. | AlchemistCamp wrote: | > _" This sounds like it would break a bunch of email | address verification systems, password recovery links and | the like."_ | | This is exactly the pain I've experienced with my own | site, https://alchemist.camp | | I've manually tested it and seen the token consumed when | clicking the link via gmail but had no issues when | copying the link from the password reset email to a gmail | account. A second manual tester confirmed the same, as | have multiple support cases. | | Password recovery links sporadically fail for gmail | users. I had to add extra instructions to copy and paste | rather than click through the link and am in the process | of moving away from single-use tokens because a lot of | people still click before reading those instructions and | email me for support. | | My increased customer support burden isn't something | Gmail PMs worry about, but they may whitelist some larger | service's emails. | ncallaway wrote: | This isn't the case in my experience. | | We have a tool that sends me an email with a single use | link when it's used. | | I just now confirmed that I receive the email containing | the single-use link, that I can click on it and view the | page, and that the single-use link is no longer available | after I've viewed the link. | | Is this perhaps conditional behavior of some sort? | ExtraE wrote: | Perhaps it's 2-use? | ncallaway wrote: | It's not. It's a tool we developed, and I've confirmed | that the resource at the link is fully destroyed after | the first access. | llampx wrote: | The Data Protection Agency loves this weird trick! | yonran wrote: | > Luckily the W3C deities gave us exactly such a gift in the form | (pun intended) of the enctype attribute. | | Minor quibble: enctype="text/plain" didn't come from W3C. HTML | 4.0 forms only defines enctype="application/x-www-form- | urlencoded" (which pct-encodes the json delimiters {"":}) and | enctype="multipart/form-data" (which has a non-json Boundary | prefix) so if those were the only enctypes that browsers used, | then this exploit would not have worked. | https://www.w3.org/TR/html401/interact/forms.html#h-17.13.4 | | WHATWG HTML5 does define enctype="text/plain" behavior | https://html.spec.whatwg.org/multipage/form-control-infrastr.... | According to the mozilla docs, it was "Introduced by HTML5 for | debugging purposes." https://developer.mozilla.org/en- | US/docs/Web/HTML/Element/fo... But I doubt it was created by | WHATWG either; in 2004 the HTML5 editor Ian Hickson said "I agree | it is brain-dead (it's IE-compatible)" | https://lists.w3.org/Archives/Public/public-whatwg-archive/2... | Unfortunately I can't see history of the spec before 2006 though | https://github.com/whatwg/html | skohan wrote: | This may be my favorite headline I have ever seen on Hacker News | SahAssar wrote: | As the author mentions, simply validating the content-type would | have been enough. CSRF is generally not a problem if you validate | content-types and/or use SameSite for cookies, both of which have | been recommended for years. | runbathtime wrote: | Is this a type of inflation or a type of fraud or neither? | Popularity is a made up category, or one that is ill defined | while being manipulative. Popularity implies those most desired, | but since this can be goosed by paying for attention, it is | meaningless and hence let the hacking begin. | PicassoCTs wrote: | They might be security wise rather weak, but their statistics | blog is a brutal-beautiful view into what humans search for | dating. | | https://theblog.okcupid.com/tagged/data | quacked wrote: | What people say they sort on: personality, values, morals, | political views, friendships, etc. | | What people sort on when they don't think they're being | observed: genes | filoleg wrote: | The way I see it, people sort on both genes (aka looks) and | personality/values/morals/etc. | | The thing is, by just scrolling through the feed/list of | people to swipe on, you don't get to see much personality, | mostly looks. To get to personality, you gotta talk to the | person. | | So when you swipe, you filter mostly by looks. And once you | match and start talking, that's when you filter by | personality. | | Yes, one can say that you can get personality from their | bio/profile, but that's such a non-consistent metric with | tons of noise and misleading data (cliched/copypasted bio, | nothing standing out, outdated bio, etc.). You need to have a | conversation with a person to get a gauge of their real | personality (of course, exceptions apply; if you see a | profile/bio claiming that vaccines give kids autism and that | the only valid covid treatment is essential oils, you kinda | already have an idea who you are dealing with). | | And out of all those people you spend a lot of time intensely | reading thru profiles of before swiping, most of them won't | even match with you. So imo, it makes sense to initially | swipe based purely on looks and a 5-10 second glance at the | profile, and then try to gauge their personality only after | you match. | OminousWeapons wrote: | I'm pretty sure 99% of people would openly agree that | physical attraction is a core element of partner selection. | xiphias2 wrote: | Not anymore, but before online dating people were hiding it | much more | OminousWeapons wrote: | People were trying to hide that they actually want to be | sexually attracted to their partner?... | xiphias2 wrote: | To me (a not attractive man) yes. But I'm from Eastern | Europe, the culture is different there. | nonameiguess wrote: | If I'm remembering correctly, it was way more specific than | that. The only genetic thing is there were some extreme | racial biases. You really don't want to be an Asian man or a | Black woman on a dating site. | | But plenty of non-genetic things. Back when they let you list | an income range, men with higher incomes got much better | response rates. Men heavily favor women who are at least ten | years younger than them. There were weirdly specific things | about your photos that mattered, too, like you'd get a much | better response rate if other people weren't in the photo | with you, you'd get a better response rate if you weren't | looking at the camera. Women were more attractive if they | were smiling but men did better if they were not smiling. | | Christian Rudder used to publish gold mines for anyone who | wanted to just game hot-or-not. Plenty of this was stuff you | could control, not genetic. Though I guess you can't exactly | control your age even if it isn't genetic. It also let you | sift through the lies, like women would always say they were | turned off by shirtless pictures, but based purely on | response rates, that definitely wasn't true for men who | actually had lean bodies. | [deleted] | moneywoes wrote: | Interestng, have a link for the study? Can't seem to find | it | bellyfullofbac wrote: | Not OP, but https://www.gwern.net/docs/psychology/okcupid | /raceandattract... | | This talks about a follow-up study 5 years after the | first one, searching "okcupid race and attraction" | doesn't find me the link to the 2009 article. | rhizome wrote: | OKCupid doesn't allow you to sort on anything anymore. It's | all part of their business model of preventing people from | creating permanent relationships. Yes, some slip through, | don't @ me. | monkeybutton wrote: | One of the founders published an excellent book that is an | extension of the blog: | https://www.goodreads.com/book/show/21480734-dataclysm | purerandomness wrote: | The official blog is the cleaned-up version, they removed the | most interesting articles when they sold out to match.com | | Famously, the article "Why You Should Never Pay For Online | Dating" got deleted during the acquisition. | | [1] Mirror: | https://www.gwern.net/docs/psychology/okcupid/whyyoushouldne... | klodolph wrote: | It's a good article, and one of the key takeaways: | | If a dating site makes you pay to send messages, then they | have an incentive to make you send messages to inactive | accounts rather than active accounts, since people with | inactive accounts have to pay in order to reply. | Rebelgecko wrote: | Sadly a lot of their most interesting posts went away after | they were acquired | filoleg wrote: | Is it just me, or the images on the post are not loading? | | Initially I tried on the most recent FF, and about half the | images were not loading. Refreshed the page, no images were | loading after that at all. | | Then I tried on the most recent Chrome, images were not loading | at all either. | | If someone has a workaround, please let me know. I have confirmed | that adblocker and such were all disabled. | | Upon trying to access the images directly, I got this 403 error: | | > Your client does not have permission to get URL /u/0/d/<rest- | of-the-URL> from this server. (Client IP address: <my-ip- | address>) | | > Rate-limit exceeded. That's all we know. | darknavi wrote: | Not just you. On Edge Chromium and no images are loading. | matsemann wrote: | Would relying on CORS still work as long as the server checks | that the type is actually application/json? Since those headers | are impossible to set from a form, and doing it with fetch it | would trigger a preflight request. | digitcatphd wrote: | This is so HN lol | IgorPartola wrote: | As someone who used to be so want active on the site and even | tried out their paid subscription, I had the features of the paid | subscription for years after I canceled my membership. They | finally caught it and disabled them but it was pretty clearly a | bug. | vmception wrote: | > I found you could use essentially the same vulnerability to get | other users to "like" your profile. Obviously you could abuse | this in order to match with anyone you could trick into clicking | a link, or you could spam the link to a bunch of people to | increase your profile's rankings in whatever mysterious algorithm | OkCupid uses to suggest people. | | Ha! They should have used this to increase their evolutionary | fitness! | | Assumptions about matchmaking app algorithms are the crux of my | behavior on dating apps. Far far greater influence than other | users independent impression of my profile or me trying to put a | best foot forward. | the__alchemist wrote: | Anecdote: OkCupid is the only website or app where I've had an | account hijacked. I got it back with a password reset, but the | profile and pics were filled with bogus content. | jacquesm wrote: | That's what I would say too ;) | m0rti wrote: | I had the same experience. My profile was transformed into a | 50-year-old white male wearing a trucker hat without my | knowledge. By the time I was able to access my account, it had | a bunch of matches and messages from 50-60 year-old American | women. | spywaregorilla wrote: | Any idea what the intent was? | bellyfullofbac wrote: | Ah, more than a decade ago I found a similar issue on Friendster | (anyone remember them?), I could embed an HTML image tag in my | profile which loaded a PHP script (under my control) that would | redirect the user to something like friendster.com/poke?id=[my | user id], so if anyone visited my profile, their browser would | GET that URL and I'd get a "poke" (I don't remember the | Friendster term for it), notifying me who visited my profile. | | I didn't get many pokes, and I can't tell what part of this story | is the saddest. Maybe the part that there probably weren't | bounties back then (that I was aware of) and I didn't get any | money for this discovery. | cj wrote: | A version of this was (maybe still is?) possible with LinkedIn, | where you could simply embed a LinkedIn profile in a hidden | iframe and then use the "who viewed my profile" feature to see | who viewed your site. | nonameiguess wrote: | I have no idea if OkCupid still does this, but they used to | segment their users based on attractiveness ratings. At first, I | think it was solely just literally your attractiveness rating. | They had a feature where you could rate people 1-5 stars and if | you were in the top 50% of all rated users, you'd only see other | people in the top 50% in your search results. If you were lower | 50%, you'd only see people in the lower 50%. I think they | eventually made this more sophisticated by augmenting the | explicit average star rating with other measures of engagement | like how often people saved your profile, how many messages you | received, and the rate at which your own messages were answered. | | Something like this could have been valuable to get you into the | upper tier. | Decker87 wrote: | > Something like this could have been valuable to get you into | the upper tier. | | Only valuable until people view my profile picture. | kbenson wrote: | Oh, someone that knows what they're doing photographically | can help quite a bit there. A good professional portrait | photographer has probably forgotten more tips and tricks to | do with posing and lighting than the average Instagram | professional ever knew. | OJFord wrote: | And then what? You score the date and rely on your awesome | personality to make up not only for being physically | disappointing, but having to some degree lied about it via | a professional portrait photographer's tips and tricks? | | And if all that works, you found someone who liked the look | of a fake/augmented version of yourself, but whom you | persuaded to like the real self anyway... Congratulations? | mastazi wrote: | I think sometimes having a foot in the door helps | anyways. Of course grossly misrepresenting yourself is a | bad idea but enhancing a bit, why not? Also, it is indeed | possible that your potential partners may value other | aspects beside your appearance, not everyone is obsessed | with looks. But of course your mileage may vary depending | who you met in your life, and also based on where you | live / local customs etc. | | Then there is the issue of how you perceive yourself, | when I was in my 20s and 30s I used to think of myself as | not attractive, but now when I look back at my old photos | from a more detached point of view, I think I was a | fairly attractive young man. Excessive self criticism can | be bad and artificially put you down. | | After entering a "serious" relationship and then getting | married in my 30s I was able to look at myself in a more | balanced way. I think my previous self-criticism was | fuelled by some vague fear that I would never find a | partner and I would live a lonely life. Probably it's a | common thought among people of that age. | kbenson wrote: | > having to some degree lied about it via a professional | portrait photographer's tips and tricks? | | Those tips and tricks are no different in kind that what | people do themselves, the only difference is knowledge. | | > And if all that works, you found someone who liked the | look of a fake/augmented version of yourself, but whom | you persuaded to like the real self anyway... | Congratulations? | | Let's not act like first impressions have no meaning, and | that getting around them doesn't have benefit and allow | other things to come through that wouldn't have gotten a | chance otherwise. | | Haven't you ever become friends with someone that you | disliked or avoided to some degree initially because of | some bad first impression? | throwaway0a5e wrote: | It's probably better to be erroneously in the bottom tier than | erroneously in the top tier for reasons that should be obvious. | slig wrote: | They had a thing where if you dismissed the top attractive | users they would segment you as attractive as well and bump you | up to the upper tier. ___________________________________________________________________ (page generated 2021-08-02 23:00 UTC)