OKStupid: Dating site e-mail may give people access to your account

Do not forward e-mail or links you receive from OKCupid — you may be handing out direct, unprotected access to your account.

Imagine your friend forwards you an e-mailed notification he got from OKCupid. When you click on the link, suddenly you are inside his account, able to access anything inside his online dating world. After setting up my wonderful guinea pig of a coworker, that’s exactly what I was able to do.

[aditude-amp id="flyingcarpet" targeting='{"env":"staging","page_type":"article","post_id":800644,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,security,","session":"D"}']

He sent me one of his OKCupid messages that contained a link back to the site. When I clicked the link to see his “great matches,” I found myself in his profile, able to click on links, edit his settings, send messages, delete the account, change his password (if I know his current password), and add payment information. It doesn’t look like I can retrieve existing payment information, thankfully.

OKCupid is an online dating website that, like any social network, sends out e-mail notifications about actions occurring on the website. But in order to make traveling from an e-mail to the website more “seamless,” some websites provide an automatic login feature, or “login instantly.” This means links within that e-mail are set up with authentication tokens that tell the website you are who you say you are — even if you’re not.

“We’re not commenting on this,” an OKCupid spokesperson told VentureBeat in an e-mail.

The issue was first reported by Adrianne Jeffries at The Verge, who received a forwarded e-mail from a friend using OKCupid. The message, “You seem nice. Would you like to do a date with me?” When Jeffries clicked on the link to check out who the sender was, she too found herself inside her friend’s account.

This is a big concern for people who don’t realize exactly what login instantly does and share their links and e-mail with friends — or worse, on social networks. Content on OKCupid is often sensitive, and changing the password on the account doesn’t revoke a link’s access. The tokens associated with the links to expire, though it is unclear how long that takes.

It’s also a problem for anyone whose e-mail is hacked. While the damage seems to be limited to embarrassing messages being sent out on your behalf, hackers could use messages on OKCupid from you to spear-phish more sensitive information out of people in your network.