Of all your online profiles and inboxes, the one with the most potential for personal embarrassment has to be OkCupid. According to a report in the Verge, your OkCupid account also happens to be easily accessible—merely by forwarding an email alert from the site.
Suddenly, I was in my friend's account, starting at all her read and unread messages. I could see her instant messages. I could edit her profile. Just because I had clicked on an email sent to her, OKCupid thought I was her.
The security hole is caused by OkCupid's ill-advised "login instantly" feature. While it makes the process of logging into your OkCupid inbox less of a hassle, members aren't necessarily aware that they're handing over full access every time they forward an email:
"Login instantly" is not new, but it's an unusual choice for a social network, and a potentially alarming feature for a service that many users consider deeply personal. Furthermore, most users don't seem to be aware of it. Those who are have been complaining since 2009 about how easy it is to accidentally give out full account access. OKCupid declined to comment on the practice.
"This totally defeats the purpose of having a password for the site," one user said on the OKCupid forum. Another user noted that there is no mechanism to prevent "brute force" attacks, meaning a determined hacker could generate random URLs until he or she found one that would lead to an account.
What's more, the token on the log-in can work multiple times, although it expires after an unspecified period of time. Jeffries says an email forwarded from a year ago didn't allow her access to her friend's profile.
I tested the bug out myself, forwarding an email alert about an OkCupid message I received in August to a friend. "I can see your inbox. ugh tell oneniceguy to change his name. HE DOTH PROTEST TOO MUCH," she gChatted back. I tested out another OkCupid email alert from back in January. "dat one worked too," my friend wrote back, notifying me that I had just received a new message—even before OkCupid had a chance to send me an alert.
We've reached out to OkCupid and IAC for comment and will update the post when we hear back.
To contact the author of this post, please email firstname.lastname@example.org.