OKCupid app, Crazy Blind Date, peeks into your privates

OKCupid blind-date app, Crazy Blind Date, peeks into your privates

A bug in OKCupid’s recently released Crazy Blind Date application allowed complete strangers to paw at users’ data.

The Wall Street Journal discovered the flaw in the API of the mobile app, which was released on Tuesday morning.

The app, available on Android and iOS devices, allows users to name a time and a venue, then sets users up on a blind date.

Crazy Blind Date screenshots

Unfortunately, the API hole allowed for a bit of data groping and a lot less blindness, exposing users’ email addresses, full birth dates, first name, gender and profile pictures.

OKCupid patched the hole immediately after the WSJ informed the company, around 1:30 p.m. Eastern time on Tuesday, the newspaper reported.

In the short time between discovery and patching of the hole, sensitive private data wasn’t displayed to casual users, being available only to somebody “with the right technical know-how” to extract it, the WSJ reported.

The technically savvy could go to an OKCupid.com profile page, find a Crazy Blind Date user’s numeric ID, and then access their email address and birth date.

CEO Sam Yagan said the company uncovered no evidence of anyone exploiting the glitch, which was minor, he told the WSJ:

"It was essentially a typo, and really inadvertent."

Post-fix, the API now only gives a user’s ID, first name, gender, desired mates’ gender, and profile photo, without email address or birth date.

Crazy Blind Date logoAs noted by commenters and Ars Technica’s Jacqui Cheng, it’s wise to use a separate, non-identifiable email address when dealing with such an app, regardless of a service’s claims that email addresses won’t be made public.

As was recently made apparent by an FTC report on kids’ mobile apps, plenty of apps share personal information with third parties without notification or requesting permission.

So there’s no good reason to assume that dating apps don’t share this information too.

Beyond using a purpose-built email address, it’s also a good idea to fudge your birth date.

That might be a deal breaker in online dating, where the fineness of an aged wine doesn’t always get the appreciation of a dewy young peach and where shaving years is seen as a sin, but your dates are unlikely to bellyache if you only tweak your birth month and/or day.