twocs

Jun 10, 2009

These emails I'm getting that say "Login Instantly" are really annoying to me. Without requiring a password, I am logged into OKCupid automatically. This totally defeats the purpose of having a password for the site. If anybody happens to be able to read my email, they are then able to see my full OKCupid account. Hello, what kind of Account Security is this??? In the news every week we see examples of web accounts being hacked. Sending users of OKCupid emails with a function "Login Instantly" violates every principle of information security. Example of possible problems: 1. Someone hacks my email account 2. I mistakenly forward the okcupid email to somebody else As a result of any of these problems, they therefore have all access to my okcupid.com account. "Humor Rainbow uses industry standard efforts, such as firewalls, to safeguard the confidentiality of your personally identifiable information." This is totally wrong. Security industry does not approve of sending "login instantly" through email. Your own security description says "Because email is not recognized as a secure medium of communication, we request that you do not send private information to us by email." And security industry standards definitely don't approve of logging in through GET! Security expert, ask yourself seriously: Should autologin urls look like this? http://www.okcupid.com/l?gUznHlNu583Cr8Dm That's how they look when I get them in my email. They should definitely not look like that. What happens if I try a brute force attack on this type of URL? Should I post this security vulnerability here on your site or on http://www.milw0rm.com/. And furthermore, recent lawsuits show that security auditors are being held liable for their security failings. I suggest you address this concern quickly. It's really killing me...
TheGoatOfMendez

Jun 10, 2009

The only thing you can do to minimise this is to disable all the alert e-mails. Or delete your account of course - the site does mention it can't be held liable if information you hold on the site is compromised.

The site is unfortunately not that secure. The main thing which surprised me was that the site doesn't use HTTPS for logins so even if you use the passwords to login they're sent in plain text over the internet. If you do use the automatic URLs they're saved in the history of the machine you're using which is a problem if it's a shared PC, say in a library. If someone does use the URL to login elsewhere without your permission it is impossible to invalidate their session - changing the password to your account does not stop them accessing it once logged in so you might as well delete it.
twocs

Jun 11, 2009

Even if they claim that they aren't liable if information held on the site is compromised, I believe that there are some recent legal cases where computer security persons are being held legally accountable for security failures, especially egregious ones. It's not like the Bush administration lawyers who claim that they were not liable for okaying torture . In the case of a computer security, they can be sued if there is a failure to exercise due care and skill.

This is a basic flaw in the okcupid security paradigm. Login instantly for Okcupid fails because:
1. Authentication fails to confirm that the user who clicks on a "login instantly" button or link is actually the owner of the account, relying instead on trusting everyone who gets an email with a "login instantly".
2. GET for instant login means sniffing the packets sent to the okcupid servers can see the urls used to login instantly
3. Automatic URLs get saved in the browser history.
4. Automatic login doesn't use HTTPS.
5. Nobody asked for "login instantly".
6. There's no way for users to disable "login instantly" if they don't want it.
7. There's no system to stop brute force attacks on the "login instantly" mechanism. Users who enter a "login instantly" code that is incorrect are just redirected to the front page, so it would be a simple process to automate attacks through this method.

I believe that "login instantly" is not a widespread feature on the Internet because of related security concerns. If you want to make it easier, choose a system like OpenID. Or do like Facebook and limit access to information and forums by people who aren't logged in.

ebidk

Oct 19, 2009

*bump*

Just wanted to say I agree with the list of problems listed in the above post. I was about to write a request for point. myself but it's nice to see I'm not the only one that's concerned.

It'd be easy to disable the emails but I'd still want the notifications so that's not a real option.

 

sfguyyy

Oct 19, 2009

I agree that stuff is sniffable but OkCupid is hardly the worlds biggest evil offender here.  For example, the vast majority of people in the world with internet access send and retrieve email via protocols that are just as insecure, and I guarantee you there are a hell of a lot more of those transactions going on every minute of every day than there are OkCupid logins etc. There are also LOTS of websites that do not use SSL encryption for login.

Now I'd love it if OkCupid, and every other website for that matter, used SSL to encrypt all authentication data, but there is significant overhead associated with that, and there are a lot of other much more prevalent unencrypted internet transactions (ie unencrypted SMTP and POP3, as well as HTTP) out there that are a much greater potential source of auth data than just this one website.

The real question is: how many other places do you use the same password?  If all we did was get people to stop doing that, we wouldn't have people like Paris Hilton and Sarah Palin hitting the front-pages from being victimized by "hackers" who did nothing more than guess the name of their family pet or something.

ebidk

Oct 19, 2009

Just because other sites/protocols don't do it properly is no excuse not to do it properly here. You got to start fixing those things somewhere, one small step at a time, so why not take one of those steps here?

I came here instead of a country specific site because it was the best free site and the local one was storing passwords in cleartext and mailing username and password to you if you didn't log in every few weeks, and didn't respond to questions about getting that fixed. It'd be nice if this place weren't nearly as broken.

OkCupid is a much nicer site anyway so I'd hate to have to look for a more safety-concious alternative.

erikok

Oct 20, 2009

About someone reading your emails, I'm going to cut and paste from a previous thread:

If someone is reading your mail it doesn't matter if they have a quick login link since it would be trivial for them to just submit "forgot password" on any site they want access to and have it reset. Plus I think at the point that someone is reading your email, your OkCupid account is going to be the least interesting to them, bank accounts/etc are usually much much higher on any criminal's list. Unless you have some sort of forwarding setup, your mail only goes through 2 companies mail servers, the first one being OkCupid's, the second being your email provider.

SSL Auth is available at https://www.okcupid.com/login, there are future plans about making all places that take your password converse via SSL.

I can take the time to refute most of the points 1 by 1 if you would like but it will have to wait until after lunch.

TheGoatOfMendez

Oct 20, 2009

If we take the scenario you've outlined - someone has access to my e-mail (the OKC scenario is somewhat broader as interception of the mail in transit over the network is enough to compromise the URLs rather than needing access to the mailbox itself but we'll set that aside for now) then what would happen is the naughty person would use the reset password function to gain access to the account and then it would become immediately obvious to me that someone had done this because next time I tried to log in I wouldn't be able to do so myself. I'd then know to reset the password, check my security etc.  - none of this would happen if someone had gotten access to an OKC passwordless URL as it is impossible to tell that someone else is using them (last login IP address would help here perhaps) and it is impossible to invalidate their sessions by changing your password. There was (assuming it's true) a rather tragic example of someone posting on the forums a while back asking how to stop this whilst their profile was in the middle of being vandalised by an unknown party.

Picking another scenario imagine someone is in a coffee shop using their wi-fi. They're not a geek so they're not tunneling or encrypting their own traffic so anything they're doing is visible to the other people in the coffee shop. If they then click on a passwordless link in their e-mail it's potentially accessible by anyone else in that coffee shop running the "right" software.

I agree it's unrealistic to expect a "Bank" level of security (although I think you're wrong in thinking that the site is less likely to be inappropriately accessed than someone's bank details - I'd suggest that it is more like for someone to have a stalker, jealous partner or curious "friend" who would try to access here than someone who would try to steal money) and I'm sure the passwordless links have boosted traffic but for a site run by highly technical people the security is lacking somewhat. If you could a) provide an opt out, b) allow a password reset to invalidate old ones and c) show more clearly to a user where their account had last been logged in from - then I think that would help.

 

 

sfguyyy

Oct 20, 2009

TGOM's last sentence there has some reasonable suggestions.

erikok

Oct 20, 2009

TGOM: Very true on all counts. I don't see A happening anytime soon, however B is possibly coming in the future and C is possible if we had some good place to show it. Your scenario makes a lot more sense then worrying that someone is going to brute force the hashing algorithm to login as whomever they want.

TheGoatOfMendez

Oct 20, 2009

Just as another related point the site's current behaviour is to allow a user to have multiple independent validated sessions with no apparent requirement to re-authenticate provided that they're frequently used. I'm not sure what the standard/best practice is for this but there is a potential problem if someone accidentally leaves themselves signed in at another computer, say in a public library (or worse, imagine if you had been on holiday and had no way to return to log it out). The way I personally use the site I can't see a problem with having each fresh login invalidate any previous sessions but if that's deemed too draconian then at least set a timeout for the authentication on each individual session.

sfguyyy

Oct 20, 2009

Oh and BTW: thanks for that hot tip about the availability of SSL for users who wish to use it.  I would think that would go a long way towards assuaging some of the critics here, at least for those who care about such things.

As we all know, we are typically endangered far more by the people who know little or care little about security. (See: botnets, social engineering, etc.)

 

erikok

Oct 20, 2009

Hm I thought I had responded to this, must be in another tab somewhere...anyway TGOM, agreed and I think that's a problem that will be fixed in the near-ish future.

sfguyyy: I suppose I should make a list of handy links and such like that and post it somewhere. Might make it easier for some people to find things. Very true its mostly a social issue for the majority of things.

swizzxx

Dec 14, 2009

Just an addition to this conversation...When I got my first "login instantly" email, I didn't realize that "instantly" meant without having to enter a password, and I never tested it.  I forwarded the email to my friend to tell her about okcupid, and consequently she now has full access to my account.  Ok, she's my friend and thankfully she told me about how the link worked, so it's not the worst thing in the world, but it does make me feel a little exposed, and what if I had sent it to someone I was a little less friendly with?  I don't know of ANY other site that allows an instant login link like that without having to enter a password.  I subsequently changed my password, but the same link still works.  So I can't think of a way to undo this without closing my account and opening a new one (or not).

sing_le

Dec 14, 2009

The tradeoff between convenience and security is ever present.I've at keast tried simultaneous sessions in the past to check data from one part of the site while composing in another,and I use a non-web client for my email so I can't use those links anyway...but the switch to persistent storage of one's username on the main screen is a risk of sorts in itself for any shared computer.If two people log into OKCupid from a cafe the second one will see the first one's username.

okcukoop

May 10, 2010

i've the same problem: forwarded an okc email to a friend only to realize that the 'login instantly' link works on her end, too, and changing my okc password has no effect on this! is there any resolution other than killing my current account and starting over? if that's the alternative, i may just kill it altogether. this is a huge security gap. at the very least, your emails should warn users that sharing of okc emails will open your account up to others.

cheers,
daVe

sfguyyy

May 10, 2010

 

FWIW, the site now uses SSL by default for logins, so that's been improved.

However I wasn't previously aware of the fact that a PW change doesn't invalidate the login links, and I agree that's a definite problem.

 

kyle7513

May 17, 2010

Here fucking here!  I'm having this problem right now.  My account has been compromised because my mail was hijacked.  No matter how many times I change my password or email notification, this freak can still click on an old email and logon without a password and change my profile.  Great site, guys!

sweetviolet79

May 17, 2010

see that would only worry me if this were amazon.com & not okcupid. from what I can see, this website really doesn't have anything worth hacking into? it doesn't seem to store anything too personal like credit card numbers... but some members are paying members, so I could still be wrong.

ebidk

May 17, 2010

 

sweetviolet79: You're forgetting those who'd do it for the lulz.

Post a comment