Consequently we reverse engineered two dating apps & Coffee satisfies bagel

Consequently we reverse engineered two dating apps & Coffee satisfies bagel

And I additionally also got a session that is zero-click along with other enjoyable weaknesses

About this web page we expose a number of my findings through the engineering that is reverse the apps Coffee Meets Bagel as well as the League. We now have identified a couple of critical weaknesses throughout the investigation, each one of these have been completely reported to your vendors which can be impacted.


Over these unprecedented times, more and more people are escaping into the electronic globe to take care of distancing that is social. Of these times that are right is much more important than in the past. From my experience that is limited few startups are mindful of protection tips. The companies in charge of a number that is big of apps are not any exclusion. We started this small study to see precisely so just how secure the dating apps that are latest are.

Accountable disclosure

All extent this is certainly high disclosed in this essay have already been reported in to the vendors. By the amount of publishing, matching patches have now been released, and I likewise have really separately confirmed that the repairs are typically in spot.

I will maybe not provide details inside their APIs this is certainly proprietary unless.

The outlook apps

We picked two popular apps that are dating on iOS and Android os.

Coffee Suits Bagel

Coffee satisfies Bagel or CMB for quick, created in 2012, is recognized for showing users a limited range that is wide of every day. They are hacked whenever in 2019, with 6 million documents taken. Leaked information included a title, email address contact information, age, enrollment date, and intercourse. CMB happens to be appeal this is certainly gaining contemporary times, and makes a useful possibility because for this task.

The League

The tagline in terms of League application is intelligently that isdate. Launched a little while in 2015, it is actually an application this is certainly members-only with acceptance and fits based on LinkedIn and Twitter pages. The application form is more expensive and selective than its choices, it is security on par while using the expense?

Testing methodologies

We benefit from a mixture of fixed analysis and powerful analysis for reverse engineering. For fixed analysis we decompile the APK, mostly utilizing apktool and jadx. An MITM is used by me system proxy with SSL proxy capabilities for powerful analysis.

A lot of the assessment is finished in the Android os that is rooted emulator Android os 8 Oreo. Tests that require more abilities are done on a real Android os product operating Lineage OS 16 (based on Android os Pie), rooted with Magisk.

Findings on CMB

Both apps have actually lot of trackers and telemetry, but I suppose this is certainly merely their state when it comes to industry. CMB has more trackers set alongside the League though.

See who disliked you on CMB applying this one trick that is easy

A pair_action is carried by the API industry in only about every bagel product and it’s an enum utilising the after values:

There exists an API that offered the object is returned by a bagel ID that is bagel. The bagel ID is shown in the batch of day-to-day bagels. Consequently if you wish to see if some physical human anatomy has refused you, you could take to the following:

That is a vulnerability that is benign nonetheless it is funny that this industry is exposed through the API its unavailable through the application form.

Geolocation information drip, maybe not really

CMB shows other users longitude and latitude as much as 2 decimal places, this is certainly around 1 square mile. Gladly this information is perhaps maybe not real-time, that will be simply updated whenever someone chooses to update their location. (we imagine this is employed by the application for matchmaking purposes. I have perhaps not verified this theory.)

However, this industry is believed by me may be hidden through the effect.

Findings on The League

Client-side produced verification tokens

The League does the one thing pretty uncommon in their login movement:

The UUID that becomes the bearer is wholly client-side generated. Also a whole lot worse, the host will maybe not validate that the bearer value is a genuine legitimate UUID. It might cause collisions along with other problems.

I will suggest changing the login model so the token this is certainly bearer created server-side and sent to the customer whenever host gets the appropriate OTP through the customer.

Contact number drip through an unauthenticated API

To the League there was an unauthenticated api that accepts a phone amount as concern parameter. The API leakages information in HTTP response code. After the cell phone number is registered, it comes back 200 fine , however when the quantity that is true most certainly not registered, it comes down right back 418 we’m a teapot . It may be mistreated in methods which are few e.g. mapping all the figures under an area rule to observe that is through the League and who is perhaps perhaps not. Or it might lead to potential embarrassment once your coworker understands you are from the software.

This has because been fixed in the event that bug have been reported to your vendor. Now the API merely returns 200 for several needs.

LinkedIn task details

The League integrates with LinkedIn to show a users work and company title in the profile. Usually it goes a bit overboard gathering information. The profile API returns detailed work position information scraped from LinkedIn, exactly like the start year, end year, etc.

Although the application does ask authorization that is individual see LinkedIn profile, the customer almost certainly will perhaps not expect the step by step place information become contained inside their profile for all of us else to examine. I really do maybe not believe that type of information is needed when it comes to computer software to the office, plus it shall oftimes be excluded from profile information.