Critical zero-day vulnerabilities in Gaper, an ‘age gap’ dating app, could be exploited to compromise any user account and potentially extort users, security researchers claim.
The absence of access controls, brute-force protection, and multi-factor authentication in the Gaper app mean attackers could potentially exfiltrate sensitive personal data and use that data to achieve full account takeover within just 10 minutes.
More worryingly still, the attack did not leverage “0-day exploits or advanced techniques and we would not be surprised if this had not been previously exploited in the wild”, said UK-based Ruptura InfoSecurity in a technical write-up published yesterday (February 17).
Despite the apparent gravity of the threat, researchers said Gaper failed to respond to multiple attempts to contact them via email, their only support channel.
GETting personal data
Gaper, which launched in the summer of 2019, is a dating and social networking app aimed at people seeking a relationship with younger or older men or women.
Ruptura InfoSecurity says the app has around 800,000 users, mostly based in the UK and US.
Because certificate pinning was not enforced, the researchers said it was possible to obtain a manipulator-in-the-middle (MitM) position through the use of a Burp Suite proxy.
This enabled them to snoop on “HTTPS traffic and easily enumerate functionality”.
Source: Security researchers warn of critical zero-day flaws in ‘age gap’ dating app Gaper
