Sophos Cloud Optix
A bug in OKCupid’s recently released Crazy Blind Date application allowed complete strangers to paw at users’ data.
The Wall Street Journal discovered the flaw in the API of the mobile app, which was released on Tuesday morning.
The app, available on Android and iOS devices, allows users to name a time and a venue, then sets users up on a blind date.
Unfortunately, the API hole allowed for a bit of data groping and a lot less blindness, exposing users’ email addresses, full birth dates, first name, gender and profile pictures.
OKCupid patched the hole immediately after the WSJ informed the company, around 1:30 p.m. Eastern time on Tuesday, the newspaper reported.
In the short time between discovery and patching of the hole, sensitive private data wasn’t displayed to casual users, being available only to somebody “with the right technical know-how” to extract it, the WSJ reported.
The technically savvy could go to an OKCupid.com profile page, find a Crazy Blind Date user’s numeric ID, and then access their email address and birth date.
CEO Sam Yagan said the company uncovered no evidence of anyone exploiting the glitch, which was minor, he told the WSJ:
"It was essentially a typo, and really inadvertent."
Post-fix, the API now only gives a user’s ID, first name, gender, desired mates’ gender, and profile photo, without email address or birth date.
As noted by commenters and Ars Technica’s Jacqui Cheng, it’s wise to use a separate, non-identifiable email address when dealing with such an app, regardless of a service’s claims that email addresses won’t be made public.
As was recently made apparent by an FTC report on kids’ mobile apps, plenty of apps share personal information with third parties without notification or requesting permission.
So there’s no good reason to assume that dating apps don’t share this information too.
Beyond using a purpose-built email address, it’s also a good idea to fudge your birth date.
That might be a deal breaker in online dating, where the fineness of an aged wine doesn’t always get the appreciation of a dewy young peach and where shaving years is seen as a sin, but your dates are unlikely to bellyache if you only tweak your birth month and/or day.
The more brazen dating sites such as match.com just do full data rape and hardly warn you! Unless you remember to tick the miniscule opt out box whenever you view your profile, you get subscribed to some very dubious sites automatically! They also operate invisible forms to trawl for auto fill forms loopholes.
Sorry I meant cupid.com and its related websites! i would add that once subscribed you also have to ring a premium rate “helpline” to unsubscribe fully! Along with the full blown data rape and use of personal data given to marketing agencies this group of sites seems to ignore the spirit of nearly all privacy legislation.
I used okCupid 5 years ago, and 4 years on am happily living with someone I met on there! I think it was fairly basic then, and I don't seem to have had any problems. (I no longer use it!)
I used OK Cupid briefly, I thought it was very corrupt. There were many fake profiles, and many suitable people writing to me before I joined. As soon as I paid, they all disappeared….
Many many fake profiles.
I am certain that 'gmd' is talking about some other site than OK Cupid – https://en.wikipedia.org/wiki/OK_Cupid – OK Cupid is free to use, with enhancements available by subscription. There is no need for money with this site.
'gmd' might possibly be referring to Cupid Plc which is network of paid dating sites – https://en.wikipedia.org/wiki/Cupid_Plc – although I have not had major problems with them apart from they take while to forget you when you ignore them – they pass your username round the group, so you get some of them trying to get your interest for a month or two. I have had no sign that they have passed my details outside the group.
As you would expect from a paid site it is not fully functional without a subscription – you can create an account & see other accounts, but there is no communication, so you are just window-shopping till you pay.
I found it to be unsatisfactory, but essentially harmless.