The love fest may be coming to an end for the hundreds of thousands of users searching for that special someone through one of the largest free online dating sites. OkCupid is placing users’ privacy in peril by neglecting to support access that is secure its whole site through HTTPS. Every email that is okCupid talk session, search, clicked link, web page seen, and username is transmitted on the internet in unencrypted plaintext, where it could be intercepted and look over by anybody from the system.
Screen shot from OkCupid Help Forum. While passwords after inital signup aren’t sent within the clear, there are various other security that is severe with OkCupid.com.
“HTTPS” is standard web encryption that ensures information sent and gotten on line is encrypted in the place of as plaintext. OkCupid will not enable HTTPS across the site, meaning while OkCupid does not leak passwords entered during log in over plaintext, it can leak plenty of other sensitive and painful information. OkCupid’s failure to potentially offer HTTPS support reveals:
- E-mail content from within OkCupid
- Content of online chats on OkCupid
- Queries conducted on the internet site
- Every page that is unique, and therefore all pages viewed
- Content of “hidden” questions–questions a person reacts to so that you can enhance match outcomes then again marks as “private” so others cannot see his / her reaction
Neglecting to provide HTTPS is specially unfortunate because OkCupid offers a number of privacy-enhancing methods for limiting who is able to access your profile. As an example, users whom mark their orientation that is sexual as or bisexual may decide never to enable their profile become seen by right people. This particular aspect may be ideal for a person who is wanting to date a same-sex partner but is perhaps perhaps not freely queer amongst others within their community. Regrettably, your profile information, like the undeniable fact that you identify as homosexual and don’t want to be viewed by right individuals, is transmitted over plaintext.
OkCupid provides privacy settings to restrict whom sees your profile, including restricting whether heterosexual users is able to see your profile.
Other privacy-enhancing features such as for example restricting who are able to see your profile ( to any or all, members of OkCupid, your favorites, or nobody after all) are circumvented effortlessly by somebody monitoring your plaintext communication with OkCupid.
It is even even worse than you imagined.
The failure to encrypt your communications exposes painful and sensitive data in online pages to eavesdroppers, whom could snoop from the content of one’s profile to know about delicate subjects like spiritual and governmental opinions, medication usage, and intimate methods. The failure to encrypt additionally exposes the HTTP cookie that is used to authenticate one to your website, which means the eavesdropper can in fact just just take over your account and impersonate you, also without knowing your password.
OkCupid lets users respond to questions to assist them enhance their matches. Users get privacy settings to”privately answer questions”—though the information continues to be sent in plaintext.
This attack was sometimes dismissed as theoretical or difficult to pull off although security experts have warned about this problem for over a decade. But all that changed with the launch of Firesheep, a simple device that may be used on provided wifi companies to take control web-based reports on non-HTTPS sites. This kind of eavesdropping is trivial for someone with even fundamental abilities.
Firesheep allows an attacker take control an account by stealing a cookie without really once you understand the account password. For instance, whenever you sit right down in a restaurant using a shared system and log into a website that doesn’t have HTTPS enabled, someone making use of the exact same networking could be wary of what you are carrying out and also impersonate you.
A more sophisticated attacker could also tamper with the login form itself, replacing it with a version that disables HTTPS entirely in order to learn the user’s password because okCupid’s login form is also delivered over insecure HTTP.
Major internet web sites like Facebook and Twitter have actually come to understand these threats and offered meaningful, comprehensive HTTPS help to guard their users. These actions are in positioning with previous Federal Trade Commissioner Pamela Jones Harbour’s demand sites to consider HTTPS. Unfortuitously, internet dating sites like OKCupid are lagging behind—way behind.
Tell OkCupid to protect your privacy