Disclaimer: I am not a fan of online dating, nor do I have any online dating apps installed on my devices. I have tried few of the most famous online dating apps and they did not appeal to me. I love approaching people anywhere and saying Hi. So why did I sign up for this one? They promoted it in the underground as a dating website based on science. That really intrigued me into seeing how this works. This dating website charges more than £50 per month to be able to see photos and to message people. That surely is because they are providing such smart service. Tonight while working on my startup — A service to create your own beautiful product documentation, API reference, user guides in hosted developer hubs portals — I got a message from someone with 100% compatibility as the dating website claims, so I was highly intrigued to know who she was. The dating website does not even allow you to read the message. If you are not a technical person, jump to Moral of the Story below. Let the Reverse Engineering Begin I thought, first thing I can do is to see the network traffic coming in and out of the app. I am using the app on my iPhone. Well I can see the profile and every detail she has entered about herself. Kinda creepy, but okay, anyway this kind of shows on the application. No problem, will leave it for later. All important requests seem to be happening on SSL. Seems that they did a good job here in knowing that I am not using the proper SSL certificates and that I am performing a man in the middle attack. I head over to their website and logged on. I could almost see the same interface, same blurred faces, same inbox which I cannot read. On Chrome it is pretty easy to read the HTTPS requests, and so I did. Filtered Network tab to XHR, and looked at the GET requests and voila… Here is the inbox chat message I just received! I feel like I should send an interesting message but I'm all Mondayed out. Okay, well cool, but still I cannot pinpoint who this person is, nor reply back. Since we got this far, probably we can go even farther. At this point — I started writing this Medium post because I realised that their security does not seem to be marvellous. Sending a Message — Will It Work? Meanwhile I was preserving the log of Chrome Network Requests. Is it that the word does not get sent, or is there something else going on? Websocket Inspection Moving over to websocket filtering in Chrome Network tab, gladly there was only one websocket to monitor. Looping over the messages trying to understand the XML being sent who the hell uses XML these days for websocket communication? I installed Simple Websocket Client Chrome extension, copied the websocket URL, opened a websocket connection and that was a success. Okay, how do we send a message now to this match. It is not expecting such schema. I am sending the pre-defined message ID, so the ID must exist somewhere. I opened the list to send more messages and I inspected the HTML and it turns out that that message has the ID 62. Ah okay I see where I went wrong, messageId is some other ID, while the value is 62 for the pre-defined message. I remembered that while looking through the GET requests, I saw such a thing. Here it is: Types of Actions I see what to do now, just set the type to CHAT, and the value to my chat message. Response: OH YEAH, I GOT A RECEIPT. Refresh the inbox page, and voila we have a message written. Talk to my Match Last piece of the puzzle is to know how to talk to anyone on this website, rather than just to that person. There does not seem to be any identifier to the person I am chatting with except in the message websocket frame. It seems that the chat address that looks like an e-mail address is the identifier of the person I am sending to. Copy the extended profile information to Sublime Text. Find the chat address in text. Ah, it is the encrypted user ID. After a long look at all these IDs and chat addresses, it turns out it is the resource ID: 12309078132 Trial number 2: Find what that resource ID is. Edit the resource ID, and voila. We have a message sent to the cutie! Why Stop Here I started thinking, well this is getting fun. How about we try to see those blurred photos now. I was thinking, maybe if I have a paid account, then I can see how can I map the blurred images to the original images. So what can we do? It turns out that the website has a way of numerating the images I1, I2 , I3 , and so on, that long identifier is my encryptedUserId, photos have versions 1 or 2 , and sizes are defined by THUMB, ICON, NORMAL, and so on. Is this service as insecure as I think it is? Try again with different numbers: 404 Not Found. Can we get those profiles though using a user ID? I cannot see how we can do that now. Moral of the Story I am not a hacker, nor do I want to cause damage. I just understand how web services work. The reverse engineering I just did is 99% done on Chrome without the need of any other tools. Gaining full membership features to a service that charges so highly was so easy as most of the security was done at the frontend, not the backend. It is a high-walled castle with an open gate and no guards inside it. Check when a message is being sent having CHAT action that the user sending is actually a premium member. You can re-route your web server Jetty when an image is requested, check membership, and serve it blurred if the user is not a premium user, or normal if the user is. Your membership could easily be replaced by a Chrome extension that replaces URLs for photos, replaces HTML of the inbox to match what you get in the requests, and send out messages using your websocket. Why Does All of This Matter? We are at an age where data collection is technically easy for companies, and the users are willing to foolishly and unhesitantly give out their data, unaware of the vague privacy policies behind them. The amount of data you gather around users is huge, and you are very responsible for this. If you are unable to protect this data, then do not collect it. The General Data Protection Regulation GDPR is coming on the 25th of May 2018. Update 25th of May 18 : Hello GDPR! My Hopes With GDPR, I am hoping that your awareness about the amount of data services collect about you will be greater. With the greater awareness, people will start to hesitate to supply information about themselves that may be unnecessary for the services to work, and companies will be forced to be more transparent about how they are using the data. Remember that with GDPR, you can request a copy of your data in human readable format from any service provider, and that this request must be fulfilled in 72 hours. Once news about companies being fined start to come out, companies will start employing practices to secure their systems.
