It’s Shockingly Easy To Hack Your OkCupid Account

OkCupid
  • Contributed by:
  • Views: 13,915

In fact, it's so easy that I'm not sure it can be called hacking. It doesn't even have to be done intentionally - just one little oblivious click, and suddenly someone else is logged in under your username.

It works like this: when OkCupid sends you an email, any links included inside the email contain a unique identifier called a token. When you click the link, you are automatically logged into your OKCupid account without having to enter your password. The point is to make it as easy as possible to get into your account, but it also makes it worringly easy for someone else to do the same thing.

A writer at The Verge discovered the security hole after receiving a forwarded OkCupid email from a friend. After reading the funny message her friend had received from a prospective suitor, she clicked on the message to see the suitor in question.

"Suddenly," she writes, "I was in my friend's account, staring at all her read and unread messages. I could see her instant messages. I could edit her profile. Just because I had clicked on an email sent to her, OKCupid thought I was her."

Although your friends probably won't do anything unscrupulous if they land in that situation (you hope!), it might not be your friends who unexpectedly find themselves logged into your account. In another case, a woman blogged about an OKCupid user and included a link to his profile that she copied from her email. Unbeknownst to her, any reader who clicked on it would then be instantly logged in as her.

There may be a little karma involved here - because it doesn't seem very nice to publically blog about a user and include a link to their profile - but no one wants to give every stranger on the Internet access to their online dating profile. The token does expire eventually, but no one has yet determined how long it remains active.

Naturally, the OkCupid forums have exploded over this. In one discussion thread, a user writes "This totally defeats the purpose of having a password for the site. If anybody happens to be able to read my email, they are then able to see my full OkCupid account. Hello, what kind of account security is this?"

The thread has been active since 2009, so as incensed as OkCupid users may be, the site doesn't appear to be in a hurry to address the issue. Although "Login Instantly" is not a new feature, it is perhaps not the wisest choice for a social network, dating site, or other online destination that contains such personal information.

Think twice next time you're tempted to make fun of a fellow online dater by forwarding their hilarious message on to your friends. Stick to screencaps or - here's a really radical idea - just be nice and don't do it in the first place.