The love fest may be coming to an end for the hundreds of thousands of users searching for that special someone through one of the largest free online dating sites. OkCupid is placing users’ privacy at risk by failing woefully to support safe usage of its whole web site through HTTPS. Every OkCupid email, chat session, search, clicked link, web web page seen, and username is transmitted on the internet in unencrypted plaintext, where it could be intercepted and look over by anybody from the system.
Screen shot from OkCupid Help Forum. While passwords after inital signup aren’t sent when you look at the clear, there are more security that is severe with OkCupid.com.
“HTTPS” is standard web encryption that ensures information delivered and gotten on the web is encrypted in place of as plaintext. OkCupid will not enable HTTPS across the website, which means while OkCupid does not leak passwords entered log that is during over plaintext, it will leak lots of other sensitive and painful information. OkCupid’s failure to potentially offer HTTPS support reveals:
- E-mail content from within OkCupid
- Content of online chats on OkCupid
- Queries conducted on the website
- Every unique web page seen, and so all pages looked over
- Content of “hidden” questions–questions a person reacts to so that you can improve match results then again marks as “private” so others cannot see their response
Failing woefully to provide HTTPS is specially unfortunate because OkCupid offers many different privacy-enhancing methods of restricting who is able to access your profile. As an example, users whom mark their orientation that is sexual as or bisexual may decide to not enable their profile to be noticed by right people. This feature could be ideal for somebody who is looking up to now a same-sex partner it is maybe not openly queer and others inside their community. Regrettably, your profile information, such as the proven fact that you identify as homosexual and don’t desire to be observed by right individuals, is sent over plaintext.
OkCupid provides privacy settings to limit whom views your profile, including restricting whether heterosexual users can easily see your profile.
Other privacy-enhancing features such as for instance restricting who is able to see your profile ( to everybody, people of OkCupid, your favorites, or no one at all) is circumvented effortlessly by some body monitoring your plaintext interaction with OkCupid.
It is also worse than you imagined.
The failure to encrypt your communications exposes delicate data in online pages to eavesdroppers, whom could snoop in the content of one’s profile to know about delicate subjects like spiritual and governmental thinking, medication usage, and practices that are sexual. The failure to encrypt additionally reveals the HTTP cookie that is utilized to authenticate you to definitely the website, meaning the eavesdropper can in fact just just take over your bank account and impersonate you, even without once you understand your password.
OkCupid allows users answer questions to assist them boost their matches. Users get privacy settings to resolve concerns “privately”—though the info remains transmitted in plaintext.
This attack was sometimes dismissed as theoretical or difficult to pull off although security experts have warned about this problem for over a decade. But all of that changed with all the launch of Firesheep, a tool that is simple can be used on shared wifi systems to dominate web-based records on non-HTTPS web sites. This kind of eavesdropping is trivial for some body with also skills that are basic.
Firesheep allows an assailant take control an account by stealing a cookie without actually understanding the account password. As an example, whenever you sit down in a restaurant employing a provided system and log into a niche site that will not have HTTPS enabled, someone utilizing the networking that is same watch what you are carrying out and also impersonate you.
Because OkCupid’s login form can be delivered over insecure HTTP, an even more advanced attacker may possibly also tamper utilizing the login type itself, changing it having a variation that disables HTTPS totally in order to find out the user’s password.
Major web sites like Twitter and Twitter have actually come to appreciate these threats and offered meaningful, comprehensive HTTPS support to guard their users. These actions come in positioning with previous Federal Trade Commissioner Pamela Jones Harbour’s demand sites to look at HTTPS. Regrettably, internet dating sites like OKCupid are lagging behind—way behind.
Tell OkCupid to protect your privacy
Numerous avid fans of OkCupid would you like to allow the solution understand that they ought ton’t cut corners in terms of protection. Send OkCupid an email here.