A friend who recently started using OKCupid just forwarded me an email she got from the site, containing a funny message from a prospective suitor: "You seem nice. Would you like to do a date with me?"
I clicked on the message, curious to see if the sender was a sexy foreigner for whom English was a second language. Suddenly, I was in my friend's account, staring at all her read and unread messages. I could see her instant messages. I could edit her profile. Just because I had clicked on an email sent to her, OKCupid thought I was her.
OKCupid frequently emails its users new matches, prompts them to update their accounts, and sends them other links to the site. Those "login instantly" links include a token that logs in to the account associated with the email address without asking for a password. Even though it makes it easy for anyone with the link to impersonate a user, OKCupid considers this a feature, not a bug, because it shuttles users quickly and seamlessly onto the site.
OKCupid thought I was her
"Login instantly" is not new, but it's an unusual choice for a social network, and a potentially alarming feature for a service that many users consider deeply personal. Furthermore, most users don't seem to be aware of it. Those who are have been complaining since 2009 about how easy it is to accidentally give out full account access. OKCupid declined to comment on the practice.
"This totally defeats the purpose of having a password for the site," one user said on the OKCupid forum. Another user noted that there is no mechanism to prevent "brute force" attacks, meaning a determined hacker could generate random URLs until he or she found one that would lead to an account.
The typical complaint, however, seemed to be that users were forwarding OKCupid emails without realizing that they were also handing over the keys to their accounts:
When I got my first "login instantly" email, I didn't realize that "instantly" meant without having to enter a password, and I never tested it. I forwarded the email to my friend to tell her about okcupid, and consequently she now has full access to my account. Ok, she's my friend and thankfully she told me about how the link worked, so it's not the worst thing in the world, but it does make me feel a little exposed, and what if I had sent it to someone I was a little less friendly with? I don't know of ANY other site that allows an instant login link like that without having to enter a password. I subsequently changed my password, but the same link still works. So I can't think of a way to undo this without closing my account and opening a new one (or not).
In another case, a woman blogged about a guy OKCupid had suggested to her. She grabbed the link to his profile from her email, not realizing that any reader who clicked on it would then be instantly logged in as her.
Another OKCupid user read her post, clicked on the link, and found himself inside someone else's inbox.
"I am far too much of a gentleman to read a lady's mail, but I did navigate around a little more, in order to confirm what I suspected: I was no longer logged on as myself, I was logged on as her," he wrote in a blog post titled "A Security Hole on OKCupid."
"What if somebody went down one of these rabbit holes, who was not a gentleman (nor a lady) at all?" he continued. "Yeah, have fun thinking about all the evil things such a person could do."
"What if somebody went down one of these rabbit holes, who was not a gentleman at all?"
The token in the instant login link worked multiple times. It does expire eventually, but it is not clear how long that takes (I tested a link that was over a year old; it failed to work).
Dave Evans has been an expert on online dating almost as long as it's been around; he writes the Online Dating Insider blog and is a rabid online dater himself. Yet he was unaware of the instant login feature. "That certainly is a security issue of the highest order," he says.
Another dating site, HowAboutWe, employs instant logins from email links but allows users to opt out.
"We originally built this feature because people requested it many times; it allows for a more easeful and immediate user experience," says HowAboutWe co-founder Brian Schechter, noting that these links do not allow users to see credit card or password information. "Security, safety and privacy are all extremely important at HowAboutWe and we definitely would advise against sharing links in emails from HowAboutWe with people that you don't want gaining access to your profile."
Illustration by Dylan C. Lathrop.