OKCupid app, Crazy Blind Date, peeks into your privates

Filed Under: Android, Data loss, iOS, Mobile, Privacy

A bug in OKCupid's recently released Crazy Blind Date application allowed complete strangers to paw at users' data.

The Wall Street Journal discovered the flaw in the API of the mobile app, which was released on Tuesday morning.

The app, available on Android and iOS devices, allows users to name a time and a venue, then sets users up on a blind date.

Crazy Blind Date screenshots

Unfortunately, the API hole allowed for a bit of data groping and a lot less blindness, exposing users' email addresses, full birth dates, first name, gender and profile pictures.

OKCupid patched the hole immediately after the WSJ informed the company, around 1:30 p.m. Eastern time on Tuesday, the newspaper reported.

In the short time between discovery and patching of the hole, sensitive private data wasn't displayed to casual users, being available only to somebody "with the right technical know-how" to extract it, the WSJ reported.

The technically savvy could go to an OKCupid.com profile page, find a Crazy Blind Date user's numeric ID, and then access their email address and birth date.

CEO Sam Yagan said the company uncovered no evidence of anyone exploiting the glitch, which was minor, he told the WSJ:

"It was essentially a typo, and really inadvertent."

Post-fix, the API now only gives a user's ID, first name, gender, desired mates' gender, and profile photo, without email address or birth date.

Crazy Blind Date logoAs noted by commenters and Ars Technica's Jacqui Cheng, it's wise to use a separate, non-identifiable email address when dealing with such an app, regardless of a service's claims that email addresses won't be made public.

As was recently made apparent by an FTC report on kids' mobile apps, plenty of apps share personal information with third parties without notification or requesting permission.

So there's no good reason to assume that dating apps don't share this information too.

Beyond using a purpose-built email address, it's also a good idea to fudge your birth date.

That might be a deal breaker in online dating, where the fineness of an aged wine doesn't always get the appreciation of a dewy young peach and where shaving years is seen as a sin, but your dates are unlikely to bellyache if you only tweak your birth month and/or day.

, , , , , ,

You might like

5 Responses to OKCupid app, Crazy Blind Date, peeks into your privates

  1. gmd · 993 days ago

    The more brazen dating sites such as match.com just do full data rape and hardly warn you! Unless you remember to tick the miniscule opt out box whenever you view your profile, you get subscribed to some very dubious sites automatically! They also operate invisible forms to trawl for auto fill forms loopholes.

  2. gmd · 993 days ago

    Sorry I meant cupid.com and its related websites! i would add that once subscribed you also have to ring a premium rate "helpline" to unsubscribe fully! Along with the full blown data rape and use of personal data given to marketing agencies this group of sites seems to ignore the spirit of nearly all privacy legislation.

  3. kim · 993 days ago

    I used okCupid 5 years ago, and 4 years on am happily living with someone I met on there! I think it was fairly basic then, and I don't seem to have had any problems. (I no longer use it!)

  4. Don · 989 days ago

    I used OK Cupid briefly, I thought it was very corrupt. There were many fake profiles, and many suitable people writing to me before I joined. As soon as I paid, they all disappeared....

    Many many fake profiles.

  5. happy OK Cupid user · 988 days ago

    I am certain that 'gmd' is talking about some other site than OK Cupid - https://en.wikipedia.org/wiki/OK_Cupid - OK Cupid is free to use, with enhancements available by subscription. There is no need for money with this site.

    'gmd' might possibly be referring to Cupid Plc which is network of paid dating sites - https://en.wikipedia.org/wiki/Cupid_Plc - although I have not had major problems with them apart from they take while to forget you when you ignore them - they pass your username round the group, so you get some of them trying to get your interest for a month or two. I have had no sign that they have passed my details outside the group.
    As you would expect from a paid site it is not fully functional without a subscription - you can create an account & see other accounts, but there is no communication, so you are just window-shopping till you pay.
    I found it to be unsatisfactory, but essentially harmless.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.