A Security Hole on OkCupid
« previous entry | next entry »
Dec. 6th, 2009 | 08:03 pm
OkCupid is a dating site. I've been a member of it for a few months now. I like it; if you are looking to add some romance to your life, it's worth a try.
It does, however, have [at least] one potentially dangerous security hole. Is that a reason to avoid using the site? In this case, I'd say "not necessarily", because if you know about the hole, it's easy to avoid making yourself vulnerable to it.
This posting, then, has a dual purpose. On the one hand, I'd like to help build some pressure on the site operators to fix the vulnerability. On the other hand, until that is accomplished, I'd like to help as many people as possible (who are OkCupid users, or thinking of becoming such) to avoid being bitten by it.
And so, if you meet that description, read on.
Like many Web sites, OkCupid likes its members to spend as much time on the site as possible. (Yes, they are primarily supported by advertising; on the plus side, it's free to users.) One of the ways they encourage this is to send the members various e-mails. One category of such e-mails is the "New matches near you" message.
I'm not sure how they define "new", and sometimes you have to wonder about how they define "near", but "matches" pretty clearly means "people you might like". The message typically will contain links to the profiles of several such people.
When you click on one of those links in your e-mail program, it will bring up, in your browser, that person's profile (photo, self-description, etc.). In the process, it will log you in to the site, so that you can see its calculated "match percentage" between you and the person of interest, perhaps send them an on-site message, and so on.
It will log you into the site ... without asking for your password.
Now there's this lady I met on the site. She lives quite far from where I do, so I doubt that we'll meet in person, but she gives good chat. OkCupid's "staff robot" apparently thinks she lives far away from everybody, because it sent her a "New matches near you" message about a guy who also lives thousands of miles from where she does (in the other direction).
She found this a little bit annoying, but mostly, I think, amusing. So she wrote a post in her OkCupid "Journal" about it. (Yes, LJ planet people, other sites do use the word "journal" for a blog-like feature.)
The post also said that it was particularly frustrating, because this "new match [allegedly] near her" was, in fact, kind of attractive. To illustrate this point, she put a link to his profile in her post.
Where did she get the link? She copied and pasted it from the e-mail which had told her about the fellow. After all, the e-mail was the subject of the post, so what could be more natural?
I was, to my knowledge, the second person to click on that link. What happened when I did? Why of course, it took me to the profile of this man that she found yummy, but sadly out of reach. Just what I had expected it to do, nothing odd about that.
A few minutes later, I noticed the icon that tells you that there are new messages for you in the site's internal "e-mail". So I did what any red-blooded OkCupid user would do: I clicked on "Inbox". And that's when I finally noticed that things had taken a decidedly strange turn.
I wasn't looking at my inbox. I was looking at hers.
I am far too much of a gentleman to read a lady's mail, but I did navigate around a little more, in order to confirm what I suspected: I was no longer logged on as myself, I was logged on as her.
I didn't immediately realize how it had happened. But eventually, I was able to confirm the cause of the problem, by deliberately reproducing it.
At that point, I said to myself, "I've seen this movie before, and I don't like the way it ends." I mean, think about it: what if somebody went down one of these rabbit holes, who was not a gentleman (nor a lady) at all?
Yeah, have fun thinking about all the evil things such a person could do.
No, don't have that much fun!
The moral of the story is simple. If you get an e-mail from OkCupid with a link in it, don't paste that link up on the Web. You be you, and don't you be offering all those other freaky people out there the opportunity to be anything but their own damn selves.
Oh, and don't forward those OkCupid e-mails to anyone, either. At least, not unless it's to someone you trust. A lot.