?

Log in

A Security Hole on OkCupid

« previous entry | next entry »
Dec. 6th, 2009 | 08:03 pm
mood: public-spirited

OkCupid is a dating site.  I've been a member of it for a few months now.  I like it; if you are looking to add some romance to your life, it's worth a try.

It does, however, have [at least] one potentially dangerous security hole.  Is that a reason to avoid using the site?  In this case, I'd say "not necessarily", because if you know about the hole, it's easy to avoid making yourself vulnerable to it.

This posting, then, has a dual purpose.  On the one hand, I'd like to help build some pressure on the site operators to fix the vulnerability.  On the other hand, until that is accomplished, I'd like to help as many people as possible (who are OkCupid users, or thinking of becoming such) to avoid being bitten by it.

And so, if you meet that description, read on.

Like many Web sites, OkCupid likes its members to spend as much time on the site as possible.  (Yes, they are primarily supported by advertising; on the plus side, it's free to users.)  One of the ways they encourage this is to send the members various e-mails.  One category of such e-mails is the "New matches near you" message.

I'm not sure how they define "new", and sometimes you have to wonder about how they define "near", but "matches" pretty clearly means "people you might like".  The message typically will contain links to the profiles of several such people.

When you click on one of those links in your e-mail program, it will bring up, in your browser, that person's profile (photo, self-description, etc.).  In the process, it will log you in to the site, so that you can see its calculated "match percentage" between you and the person of interest, perhaps send them an on-site message, and so on.

It will log you into the site ... without asking for your password.

Now there's this lady I met on the site.  She lives quite far from where I do, so I doubt that we'll meet in person, but she gives good chat.  OkCupid's "staff robot" apparently thinks she lives far away from everybody, because it sent her a "New matches near you" message about a guy who also lives thousands of miles from where she does (in the other direction).

She found this a little bit annoying, but mostly, I think, amusing.  So she wrote a post in her OkCupid "Journal" about it.  (Yes, LJ planet people, other sites do use the word "journal" for a blog-like feature.)

The post also said that it was particularly frustrating, because this "new match [allegedly] near her" was, in fact, kind of attractive.  To illustrate this point, she put a link to his profile in her post.

Where did she get the link?  She copied and pasted it from the e-mail which had told her about the fellow.  After all, the e-mail was the subject of the post, so what could be more natural?

I was, to my knowledge, the second person to click on that link.  What happened when I did?  Why of course, it took me to the profile of this man that she found yummy, but sadly out of reach.  Just what I had expected it to do, nothing odd about that.

A few minutes later, I noticed the icon that tells you that there are new messages for you in the site's internal "e-mail".  So I did what any red-blooded OkCupid user would do: I clicked on "Inbox".  And that's when I finally noticed that things had taken a decidedly strange turn.

I wasn't looking at my inbox.  I was looking at hers.

I am far too much of a gentleman to read a lady's mail, but I did navigate around a little more, in order to confirm what I suspected: I was no longer logged on as myself, I was logged on as her.

I didn't immediately realize how it had happened.  But eventually, I was able to confirm the cause of the problem, by deliberately reproducing it.

At that point, I said to myself, "I've seen this movie before, and I don't like the way it ends."  I mean, think about it: what if somebody went down one of these rabbit holes, who was not a gentleman (nor a lady) at all?

Yeah, have fun thinking about all the evil things such a person could do.

No, don't have that much fun!

The moral of the story is simple.  If you get an e-mail from OkCupid with a link in it, don't paste that link up on the Web.  You be you, and don't you be offering all those other freaky people out there the opportunity to be anything but their own damn selves.

Oh, and don't forward those OkCupid e-mails to anyone, either.  At least, not unless it's to someone you trust.  A lot.



Link | Leave a comment | Share

Comments {8}

so_zanie

(no subject)

from: so_zanie
date: Dec. 7th, 2009 01:17 am (UTC)
Link

Whoa. I knew OKC was evil :P (or, at least, for what I am looking for, a waste of time), but this takes the cake. Glad I gave up on it months ago.

Edited at 2009-12-07 01:17 am (UTC)

Reply | Thread

jtdiii

(no subject)

from: jtdiii
date: Dec. 7th, 2009 04:15 am (UTC)
Link

Many sites encounter this issue in one form or another, most of them close it quickly once they realize they have it. I hope that OKC responded quickly when you pointed this out to them.

Reply | Thread

a Me

(no subject)

from: justanyolname
date: Dec. 7th, 2009 01:16 pm (UTC)
Link

Eeek! Good to know!

Reply | Thread

OKC

from: anonymous
date: Dec. 7th, 2009 06:24 pm (UTC)
Link

Wow. I don't rEALLY UNDERSTAND HOW THAT HAPPENED?
Maggie

Reply | Thread

Trevor Stone

(no subject)

from: flwyd
date: Dec. 9th, 2009 06:35 am (UTC)
Link

Not to mention the inherent insecurity of email: it's sent over the wire in the clear, you have no guarantee that your user is the one reading the email, etc. (A jealous SO could click on an OKCupid link while snooping through your email and get access to all the people you've communicated with on the dating site).

I've always assumed that the OKC developers were aware that sending auto-login links is not very secure and that they don't really care.

Reply | Thread

(no subject)

from: anonymous
date: Jan. 4th, 2010 04:16 am (UTC)
Link

Of course if someone is reading your email they could just get access to your account by going to "forgot password" and typing in your email. That seems like a problem inherent in every web service that doesn't use an out of band communication channel to reset account information.

Reply | Parent | Thread

Tom Anderson

Here's a sample link to login to OkCupid

from: Tom Anderson
date: Nov. 8th, 2012 12:05 pm (UTC)
Link

Thought you might be amused that this problem is still around. Just got a link today that is still valid. OkCupid will only accept the link for a few days or so, but for now you can try this dummy account link to see how great instant login via email can be if you accidently forward it.

http://www.okcupid.com/l/.5z3g7GdOrsBR.4ES9tYWlsYm94P2ZvbGRlcj0x.4gjPSlbL4YptQm5n5ACTq.6IPXVnPnZaa7TanrC1@hyUkhdgP8Q==

Reply | Thread

Tom Edelson

Re: Here's a sample link to login to OkCupid

from: edelsont
date: Dec. 11th, 2012 11:45 pm (UTC)
Link

Thanks! Belatedly. I hadn't realized that I hadn't even gotten around to unscreening your comment, until now.

I did try the link, back when I first got your comment, and it worked. I resisted the temptation to edit the profile of the person as whom I was then logged in.

Reply | Parent | Thread