[HN Gopher] How to boost your popularity on OkCupid using CSRF a...
___________________________________________________________________
How to boost your popularity on OkCupid using CSRF and a JSON type
confusion
Author : flipnotic
Score : 158 points
Date : 2021-08-02 17:20 UTC (5 hours ago)
(HTM) web link (blog.azuki.vip)
(TXT) w3m dump (blog.azuki.vip)
| mellosouls wrote:
| Reminder of the classic "Mathematician Hacks OkCupid" story from
| a few years back:
|
| https://www.wired.com/2014/01/how-to-hack-okcupid/
| hmsimha wrote:
| I believe this also requires that OKCupid has not set the
| 'SameSite=lax' attribute on their cookies, which is good practice
| as well; the browser won't send the user's cookies on cross-
| origin POST, PUT, PATCH, or DELETE requests when this attribute
| is set.
|
| So this exploit is really the confluence of failing to follow 2
| standard security practices, as well as another unfortunate
| configuration quirk:
|
| - Failing to set SameSite=lax on their session cookie attribute -
| Not using a CSRF token to authenticate on unsafe HTTP actions -
| Not checking the content-type of API requests (though I'm not
| sure to what extent this is considered bad practice)
| simonw wrote:
| I thought most modern browsers behave as if SameSite=Lax
| automatically these days. Were OkCupid deliberately setting
| SameSite=None on their cookies?
| k__ wrote:
| Wasn't lax just for static assets like images that are linked
| in external HTML?
| ctoth wrote:
| > It also occurred to me that if I redirected my website to the
| CSRF link that automatically sent a message to me, I could see
| the OkCupid profiles of my website visitors who were logged into
| okcupid.com, which would make for an intense web analytics tool.
|
| Ouch.
| Teever wrote:
| I learned recently that if someone forwards you the email that
| OKC sends them alerting them to a new message and you click on
| it you gain passwordless access to their account.
|
| I contacted OKC about this but they said that it was not an
| issue.
| simonw wrote:
| That's shocking! Really surprised that they don't see this as
| an issue, I would expect that it's trivial to social engineer
| someone into forwarding you one of those emails.
| AnIdiotOnTheNet wrote:
| Maybe, but how much value is there in taking over people's
| OKCupid account?
| Johnny555 wrote:
| If there's no value or downside to someone taking over my
| OKCupid account, why have a password on it in the first
| place?
| yunohn wrote:
| This is a horrible take, obviously there's different
| levels of security and risk associated with everything.
| Johnny555 wrote:
| A horrible take on _how much value is there in taking
| over people 's OKCupid account_?
|
| If there's literally no value in taking it over, then why
| password protect it in the first place?
|
| I have an online photo album and while I _could_ password
| protect it and share the password with people that I want
| to share it with, there 's very little value (perhaps
| there's some small social engineering value) in
| protecting it. If there's no value in exposing it, why
| bother password protecting it?
| AnIdiotOnTheNet wrote:
| It's a bad take because you made it sound like I said it
| was worthless, when all I implied was that it isn't worth
| much. There's a difference.
| Johnny555 wrote:
| I took your reply as meaning it has so little value that
| there's no reason to or even harm if someone takes it
| over.
|
| Did you mean that it's valuable enough that someone
| should protect it, but shouldn't bother protecting it too
| much (like, anyone with the URL should have access to it)
| since it has little value? I'm not sure I really
| understand the nuance, but I'd be awfully surprised if I
| forwarded an email to someone from OKCupid and it gave
| them passwordless access to the account.
| rootsudo wrote:
| You'd be surprised, alot - but I'd wager it's easier to
| just save the photos and open up your own honeypot that
| way.
|
| But the messages could be interesting.
| rendall wrote:
| Someone I knew once sent me an urgent direct message over
| Twitter that they were stranded in the City of London and
| needed me to wire money. Phone gone, computer stolen,
| they could only communicate by Twitter. Of course it
| wasn't actually my friend, but a 2-bit hacker. But if
| they were to collect enough accounts and message enough
| people, someone might bite. Maybe someone would give up
| something truly valuable if they really thought it was
| someone they cared about, a long lost son, or a pined-for
| ex.
| kfrzcode wrote:
| The value is relative to motivation, I'd posit
| srmarm wrote:
| There is a huge market in romance scams and people lose
| huge amounts to it, most people are clever enough to spot
| them but many aren't. Now if you're able to intercept a
| genuine conversation it'd give you a good advantage.
|
| Even at a lower level, just sending a bunch of messages
| asking for money for a cab/train/airfare might yield good
| returns. People let their guard down when there's a
| possibility of getting laid.
| nicoburns wrote:
| This isn't ideal, but why would anyone forward this kind of
| email?
| entropicdrifter wrote:
| The email itself could be intercepted, could it not?
| thih9 wrote:
| I guess when an adversary knows about the feature and uses
| some social engineering against the user?
| EpicEng wrote:
| In order to get access to their... OkCupid account? Not
| sure that I care.
| kfrzcode wrote:
| Everyone's got something to hide somewhere.
| wizzwizz4 wrote:
| Imagine https://www.wired.com/2017/01/grinder-lawsuit-
| spoofed-accoun..., without the spoofing.
| Johnny555 wrote:
| You might care if you were married and using OKCupid to
| find a girlfriend.
|
| You may say that getting exposed for trying to have an
| affair is a good thing, but that's a still a reason why
| someone may care how secure their OKCupid activity is.
| Johnny555 wrote:
| I might forward it to a friend to ask if that's the girl he
| dated last week, without meaning to give him passwordless
| access to my account.
| DJBunnies wrote:
| Lots of sites do this, it's a feature for the majority of
| users who prefer convenience over security.
| [deleted]
| cmckn wrote:
| I find that passwordless links usually expire after 1 use
| or some amount of time; generating eternal alt-passwords
| for an OkCupid account in every message notification email
| seems pretty heinous.
| AlchemistCamp wrote:
| Gmail now pretty much breaks single-use tokens in links
| because it consumes them itself after a user clicks on
| them, but before redirecting the user to the site.
|
| It's an unfortunate change that has made single-use links
| a worse UX and less popular in the last couple of years.
| gbl08ma wrote:
| This sounds like it would break a bunch of email address
| verification systems, password recovery links and the
| like. I wonder if indeed it does break them, but since it
| only affects smaller websites nobody seems to care.
| AlchemistCamp wrote:
| > _" This sounds like it would break a bunch of email
| address verification systems, password recovery links and
| the like."_
|
| This is exactly the pain I've experienced with my own
| site, https://alchemist.camp
|
| I've manually tested it and seen the token consumed when
| clicking the link via gmail but had no issues when
| copying the link from the password reset email to a gmail
| account. A second manual tester confirmed the same, as
| have multiple support cases.
|
| Password recovery links sporadically fail for gmail
| users. I had to add extra instructions to copy and paste
| rather than click through the link and am in the process
| of moving away from single-use tokens because a lot of
| people still click before reading those instructions and
| email me for support.
|
| My increased customer support burden isn't something
| Gmail PMs worry about, but they may whitelist some larger
| service's emails.
| ncallaway wrote:
| This isn't the case in my experience.
|
| We have a tool that sends me an email with a single use
| link when it's used.
|
| I just now confirmed that I receive the email containing
| the single-use link, that I can click on it and view the
| page, and that the single-use link is no longer available
| after I've viewed the link.
|
| Is this perhaps conditional behavior of some sort?
| ExtraE wrote:
| Perhaps it's 2-use?
| ncallaway wrote:
| It's not. It's a tool we developed, and I've confirmed
| that the resource at the link is fully destroyed after
| the first access.
| llampx wrote:
| The Data Protection Agency loves this weird trick!
| yonran wrote:
| > Luckily the W3C deities gave us exactly such a gift in the form
| (pun intended) of the enctype attribute.
|
| Minor quibble: enctype="text/plain" didn't come from W3C. HTML
| 4.0 forms only defines enctype="application/x-www-form-
| urlencoded" (which pct-encodes the json delimiters {"":}) and
| enctype="multipart/form-data" (which has a non-json Boundary
| prefix) so if those were the only enctypes that browsers used,
| then this exploit would not have worked.
| https://www.w3.org/TR/html401/interact/forms.html#h-17.13.4
|
| WHATWG HTML5 does define enctype="text/plain" behavior
| https://html.spec.whatwg.org/multipage/form-control-infrastr....
| According to the mozilla docs, it was "Introduced by HTML5 for
| debugging purposes." https://developer.mozilla.org/en-
| US/docs/Web/HTML/Element/fo... But I doubt it was created by
| WHATWG either; in 2004 the HTML5 editor Ian Hickson said "I agree
| it is brain-dead (it's IE-compatible)"
| https://lists.w3.org/Archives/Public/public-whatwg-archive/2...
| Unfortunately I can't see history of the spec before 2006 though
| https://github.com/whatwg/html
| skohan wrote:
| This may be my favorite headline I have ever seen on Hacker News
| SahAssar wrote:
| As the author mentions, simply validating the content-type would
| have been enough. CSRF is generally not a problem if you validate
| content-types and/or use SameSite for cookies, both of which have
| been recommended for years.
| runbathtime wrote:
| Is this a type of inflation or a type of fraud or neither?
| Popularity is a made up category, or one that is ill defined
| while being manipulative. Popularity implies those most desired,
| but since this can be goosed by paying for attention, it is
| meaningless and hence let the hacking begin.
| PicassoCTs wrote:
| They might be security wise rather weak, but their statistics
| blog is a brutal-beautiful view into what humans search for
| dating.
|
| https://theblog.okcupid.com/tagged/data
| quacked wrote:
| What people say they sort on: personality, values, morals,
| political views, friendships, etc.
|
| What people sort on when they don't think they're being
| observed: genes
| filoleg wrote:
| The way I see it, people sort on both genes (aka looks) and
| personality/values/morals/etc.
|
| The thing is, by just scrolling through the feed/list of
| people to swipe on, you don't get to see much personality,
| mostly looks. To get to personality, you gotta talk to the
| person.
|
| So when you swipe, you filter mostly by looks. And once you
| match and start talking, that's when you filter by
| personality.
|
| Yes, one can say that you can get personality from their
| bio/profile, but that's such a non-consistent metric with
| tons of noise and misleading data (cliched/copypasted bio,
| nothing standing out, outdated bio, etc.). You need to have a
| conversation with a person to get a gauge of their real
| personality (of course, exceptions apply; if you see a
| profile/bio claiming that vaccines give kids autism and that
| the only valid covid treatment is essential oils, you kinda
| already have an idea who you are dealing with).
|
| And out of all those people you spend a lot of time intensely
| reading thru profiles of before swiping, most of them won't
| even match with you. So imo, it makes sense to initially
| swipe based purely on looks and a 5-10 second glance at the
| profile, and then try to gauge their personality only after
| you match.
| OminousWeapons wrote:
| I'm pretty sure 99% of people would openly agree that
| physical attraction is a core element of partner selection.
| xiphias2 wrote:
| Not anymore, but before online dating people were hiding it
| much more
| OminousWeapons wrote:
| People were trying to hide that they actually want to be
| sexually attracted to their partner?...
| xiphias2 wrote:
| To me (a not attractive man) yes. But I'm from Eastern
| Europe, the culture is different there.
| nonameiguess wrote:
| If I'm remembering correctly, it was way more specific than
| that. The only genetic thing is there were some extreme
| racial biases. You really don't want to be an Asian man or a
| Black woman on a dating site.
|
| But plenty of non-genetic things. Back when they let you list
| an income range, men with higher incomes got much better
| response rates. Men heavily favor women who are at least ten
| years younger than them. There were weirdly specific things
| about your photos that mattered, too, like you'd get a much
| better response rate if other people weren't in the photo
| with you, you'd get a better response rate if you weren't
| looking at the camera. Women were more attractive if they
| were smiling but men did better if they were not smiling.
|
| Christian Rudder used to publish gold mines for anyone who
| wanted to just game hot-or-not. Plenty of this was stuff you
| could control, not genetic. Though I guess you can't exactly
| control your age even if it isn't genetic. It also let you
| sift through the lies, like women would always say they were
| turned off by shirtless pictures, but based purely on
| response rates, that definitely wasn't true for men who
| actually had lean bodies.
| [deleted]
| moneywoes wrote:
| Interestng, have a link for the study? Can't seem to find
| it
| bellyfullofbac wrote:
| Not OP, but https://www.gwern.net/docs/psychology/okcupid
| /raceandattract...
|
| This talks about a follow-up study 5 years after the
| first one, searching "okcupid race and attraction"
| doesn't find me the link to the 2009 article.
| rhizome wrote:
| OKCupid doesn't allow you to sort on anything anymore. It's
| all part of their business model of preventing people from
| creating permanent relationships. Yes, some slip through,
| don't @ me.
| monkeybutton wrote:
| One of the founders published an excellent book that is an
| extension of the blog:
| https://www.goodreads.com/book/show/21480734-dataclysm
| purerandomness wrote:
| The official blog is the cleaned-up version, they removed the
| most interesting articles when they sold out to match.com
|
| Famously, the article "Why You Should Never Pay For Online
| Dating" got deleted during the acquisition.
|
| [1] Mirror:
| https://www.gwern.net/docs/psychology/okcupid/whyyoushouldne...
| klodolph wrote:
| It's a good article, and one of the key takeaways:
|
| If a dating site makes you pay to send messages, then they
| have an incentive to make you send messages to inactive
| accounts rather than active accounts, since people with
| inactive accounts have to pay in order to reply.
| Rebelgecko wrote:
| Sadly a lot of their most interesting posts went away after
| they were acquired
| filoleg wrote:
| Is it just me, or the images on the post are not loading?
|
| Initially I tried on the most recent FF, and about half the
| images were not loading. Refreshed the page, no images were
| loading after that at all.
|
| Then I tried on the most recent Chrome, images were not loading
| at all either.
|
| If someone has a workaround, please let me know. I have confirmed
| that adblocker and such were all disabled.
|
| Upon trying to access the images directly, I got this 403 error:
|
| > Your client does not have permission to get URL /u/0/d/<rest-
| of-the-URL> from this server. (Client IP address: <my-ip-
| address>)
|
| > Rate-limit exceeded. That's all we know.
| darknavi wrote:
| Not just you. On Edge Chromium and no images are loading.
| matsemann wrote:
| Would relying on CORS still work as long as the server checks
| that the type is actually application/json? Since those headers
| are impossible to set from a form, and doing it with fetch it
| would trigger a preflight request.
| digitcatphd wrote:
| This is so HN lol
| IgorPartola wrote:
| As someone who used to be so want active on the site and even
| tried out their paid subscription, I had the features of the paid
| subscription for years after I canceled my membership. They
| finally caught it and disabled them but it was pretty clearly a
| bug.
| vmception wrote:
| > I found you could use essentially the same vulnerability to get
| other users to "like" your profile. Obviously you could abuse
| this in order to match with anyone you could trick into clicking
| a link, or you could spam the link to a bunch of people to
| increase your profile's rankings in whatever mysterious algorithm
| OkCupid uses to suggest people.
|
| Ha! They should have used this to increase their evolutionary
| fitness!
|
| Assumptions about matchmaking app algorithms are the crux of my
| behavior on dating apps. Far far greater influence than other
| users independent impression of my profile or me trying to put a
| best foot forward.
| the__alchemist wrote:
| Anecdote: OkCupid is the only website or app where I've had an
| account hijacked. I got it back with a password reset, but the
| profile and pics were filled with bogus content.
| jacquesm wrote:
| That's what I would say too ;)
| m0rti wrote:
| I had the same experience. My profile was transformed into a
| 50-year-old white male wearing a trucker hat without my
| knowledge. By the time I was able to access my account, it had
| a bunch of matches and messages from 50-60 year-old American
| women.
| spywaregorilla wrote:
| Any idea what the intent was?
| bellyfullofbac wrote:
| Ah, more than a decade ago I found a similar issue on Friendster
| (anyone remember them?), I could embed an HTML image tag in my
| profile which loaded a PHP script (under my control) that would
| redirect the user to something like friendster.com/poke?id=[my
| user id], so if anyone visited my profile, their browser would
| GET that URL and I'd get a "poke" (I don't remember the
| Friendster term for it), notifying me who visited my profile.
|
| I didn't get many pokes, and I can't tell what part of this story
| is the saddest. Maybe the part that there probably weren't
| bounties back then (that I was aware of) and I didn't get any
| money for this discovery.
| cj wrote:
| A version of this was (maybe still is?) possible with LinkedIn,
| where you could simply embed a LinkedIn profile in a hidden
| iframe and then use the "who viewed my profile" feature to see
| who viewed your site.
| nonameiguess wrote:
| I have no idea if OkCupid still does this, but they used to
| segment their users based on attractiveness ratings. At first, I
| think it was solely just literally your attractiveness rating.
| They had a feature where you could rate people 1-5 stars and if
| you were in the top 50% of all rated users, you'd only see other
| people in the top 50% in your search results. If you were lower
| 50%, you'd only see people in the lower 50%. I think they
| eventually made this more sophisticated by augmenting the
| explicit average star rating with other measures of engagement
| like how often people saved your profile, how many messages you
| received, and the rate at which your own messages were answered.
|
| Something like this could have been valuable to get you into the
| upper tier.
| Decker87 wrote:
| > Something like this could have been valuable to get you into
| the upper tier.
|
| Only valuable until people view my profile picture.
| kbenson wrote:
| Oh, someone that knows what they're doing photographically
| can help quite a bit there. A good professional portrait
| photographer has probably forgotten more tips and tricks to
| do with posing and lighting than the average Instagram
| professional ever knew.
| OJFord wrote:
| And then what? You score the date and rely on your awesome
| personality to make up not only for being physically
| disappointing, but having to some degree lied about it via
| a professional portrait photographer's tips and tricks?
|
| And if all that works, you found someone who liked the look
| of a fake/augmented version of yourself, but whom you
| persuaded to like the real self anyway... Congratulations?
| mastazi wrote:
| I think sometimes having a foot in the door helps
| anyways. Of course grossly misrepresenting yourself is a
| bad idea but enhancing a bit, why not? Also, it is indeed
| possible that your potential partners may value other
| aspects beside your appearance, not everyone is obsessed
| with looks. But of course your mileage may vary depending
| who you met in your life, and also based on where you
| live / local customs etc.
|
| Then there is the issue of how you perceive yourself,
| when I was in my 20s and 30s I used to think of myself as
| not attractive, but now when I look back at my old photos
| from a more detached point of view, I think I was a
| fairly attractive young man. Excessive self criticism can
| be bad and artificially put you down.
|
| After entering a "serious" relationship and then getting
| married in my 30s I was able to look at myself in a more
| balanced way. I think my previous self-criticism was
| fuelled by some vague fear that I would never find a
| partner and I would live a lonely life. Probably it's a
| common thought among people of that age.
| kbenson wrote:
| > having to some degree lied about it via a professional
| portrait photographer's tips and tricks?
|
| Those tips and tricks are no different in kind that what
| people do themselves, the only difference is knowledge.
|
| > And if all that works, you found someone who liked the
| look of a fake/augmented version of yourself, but whom
| you persuaded to like the real self anyway...
| Congratulations?
|
| Let's not act like first impressions have no meaning, and
| that getting around them doesn't have benefit and allow
| other things to come through that wouldn't have gotten a
| chance otherwise.
|
| Haven't you ever become friends with someone that you
| disliked or avoided to some degree initially because of
| some bad first impression?
| throwaway0a5e wrote:
| It's probably better to be erroneously in the bottom tier than
| erroneously in the top tier for reasons that should be obvious.
| slig wrote:
| They had a thing where if you dismissed the top attractive
| users they would segment you as attractive as well and bump you
| up to the upper tier.
___________________________________________________________________
(page generated 2021-08-02 23:00 UTC)