Which is why it's stunning that this long-time security flaw was found in OKCupid today: Anytime a buddy forwards you an email alert from the site, you can easily log onto that person's profile. Since friends will often forward messages they've received on the site—”mind if you vet this chick out?”—to other friends, users like this reporter from The Verge, who discovered the breach today, are sounding an alarm:
It contained a funny message from a prospective suitor: “You seem nice. Would you like to do a date with me?”
I clicked on the message, curious to see if the sender was a sexy foreigner for whom English was a second language. Suddenly, I was in my friend's account, starting at all her read and unread messages. I could see her instant messages. I could edit her profile. Just because I had clicked on an email sent to her, OKCupid thought I was her.
The security hole, in case you were wondering, is caused by OKCupid's “login instantly” feature. It allows you to open an OKCupid email and head directly to your inbox without ever giving a password, and anyone you forward an OKCupid email can do the same. Again, from the Verge:
“This totally defeats the purpose of having a password for the site,” one user said on the OKCupid forum. Another user noted that there is no mechanism to prevent “brute force” attacks, meaning a determined hacker could generate random URLs until he or she found one that would lead to an account.
The login also works multiple times. So you can login to your bro's account on more than one occassion and permanently destroy any future romantic chances. All you need is one single email. Fun!
[H/T: The Verge]