IBM Says 60 Percent of Dating Apps Vulnerable to Hackers

Just in time for Valentine's Day, an IBM study shows that up to 60 percent of dating apps have vulnerabilities that can be exploited by hackers.

IT stress

According to an IBM Security analysis, Big Blue found that more than 60 percent of leading dating mobile apps it studied are potentially vulnerable to a variety of cyber-attacks that put personal user information and corporate data at risk.

The IBM study showed that many of these dating apps have access to additional features on mobile devices such as the camera, microphone, storage, GPS location and mobile wallet billing information, which in combination with the vulnerabilities may make them exploitable to hackers. IBM also found that nearly 50 percent of organizations analyzed have at least one of these popular dating apps installed on mobile devices used to access business information.

For the one in 10 Americans who admit to using dating apps—according to Pew Research—these vulnerabilities represent a very real threat. Indeed, that "one in 10" statistic means that roughly 31 million people have used a dating site or app and the number of people who dated someone they met online grew to 66 percent.

Moreover, nearly 50 percent of organizations analyzed have at least one of these popular dating apps installed on mobile devices used to access business information.

"Many consumers use and trust their mobile phones for a variety of applications," said Caleb Barlow, vice president of IBM Security, in a statement. "It is this trust that gives hackers the opportunity to exploit vulnerabilities like the ones we found in these dating apps. Consumers need to be careful not to reveal too much personal information on these sites as they look to build a relationship. Our research demonstrates that some users may be engaged in a dangerous tradeoff—with increased sharing resulting in decreased personal security and privacy."

Security researchers from IBM Security found that 26 of the 41 dating apps they analyzed on the Android mobile platform had either medium or high severity vulnerabilities. The analysis was done based on apps available in the Google Play app store in October 2014.

The IBM study showed that while some apps have privacy measures in place, many are vulnerable to attacks that could lead to scenarios such as the dating app used to download malware. Users let their guard down when they anticipate receiving interest from a potential date. That's just the sort of moment that hackers thrive on. Some of the vulnerable apps could be reprogrammed by hackers to send an alert that asks users to click for an update or to retrieve a message that, in reality, is just a ploy to download malware onto their device.

Also, GPS information could be used to track a user's movements. IBM found that 73 percent of the 41 popular dating apps analyzed have access to current and past GPS location information. Hackers can capture a user's current and past GPS location information to find out where a user lives, works, or spends most of his or her time.

Credit card numbers also can be stolen from apps. IBM said 48 percent of the 41 popular dating apps analyzed have access to a user's billing information saved on their device. As a result of poor coding, an attacker could gain access to billing information saved on the device's mobile wallet through a vulnerability in the dating app and steal the information to make unauthorized purchases.

In addition, hackers could gain remote control of a phone's camera or microphone. All the vulnerabilities identified can allow a hacker to gain access to a phone's camera or microphone even if the user is not logged into the app. This means an attacker can spy and eavesdrop on users or tap into confidential business meetings.

Moreover, hackers can hijack a user's data profile. A hacker can change content and images on the dating profile, impersonate the user and communicate with other app users, or leak personal information externally to affect the reputation of a user's identity. This poses a risk to other users, as well, since a hijacked account can be used by an attacker to trick other users into sharing personal and potentially compromising information.

IBM identified some of the specific vulnerabilities on the at-risk dating apps as including cross-site scripting via man in the middle, debug flag enabled, weak random number generator and phishing via man in the middle. When these vulnerabilities are exploited, an attacker can potentially use the mobile device to conduct attacks.