sfguyyy

May 17, 2010

Well having access to someone's personal email correspondence on very private personal matters is reason enough as far as I'm concerned.

And Kyle, your profile issue is being worked-on.

 

twocs

May 17, 2010

Just a comment. The login instantly feature is that it creates a link like this to login:

http://www.okcupid.com/l?0z2thVfIRsdwaWrm

In each person's link there are 16 characters. There are 4 x 10^28 possible combinations and 10 ^ 6 users, thus to randomly select a valid login instantly requires 4 x 10^22 attempts on average. This is a lot of attempts needed, so it seems reasonable that it wouldn't be easy to accomplish in this current era of Gigabytes. On the other hand, if somebody had access to a botnet comprised of about 10 million computers, OkCupid's login instantly featurette would crumble.

erikok

May 18, 2010

twocs, if someone has access to a botnet of about 10 million computers, they are probably smart enough to realize that there's no much money in messing around with OkCupid users and there's more money in looking at those 10 million computers for credit card details.

 

Also I'm pretty sure we would notice someone attempting to login 40000000000000000000000000000 times.

twocs

May 20, 2010

twocs, if someone has access to a botnet of about 10 million computers, they are probably smart enough to realize that there's no much money in messing around with OkCupid users and there's more money in looking at those 10 million computers for credit card details.

 I see that you're hoping that (1) OkCupid is too obscure to attack, and (2) humans will notice an intrusion. More power to you!

FYI, this is a type of security by obscurity defense. I particularly like this sentence in http://en.wikipedia.org/wiki/Security_through_obscurity: "Operators and developers/vendors of systems that rely on security by obscurity may keep the fact that their system is broken secret to avoid destroying confidence in their service or product and thus its marketability, and this may amount to fraudulent misrepresentation of the security of their products."

sfguyyy

May 20, 2010

 

No one claimed OkC is too obscure to attack.  OkC is attacked every single day.

There are all sorts of theoretical vulnerabilities that don't rate much lost sleep from those who understand the risk profile.

erikok

May 20, 2010

You do realize that 4 x 10^22 is more then we have had total logins to okcupid ever? If suddenly we had more logins in the span of an hour then we have ever had in our history I'm pretty sure something would just stop working.

Lets break down the numbers here, assuming a bot net computer has 1 ip address and is a normal windows computer...pretty safe assumption I would say, wouldn't you? So due to that you can have roughly 65000 simultaneous connections from 1 machine. For simplicity lets say each request takes 1 second, which is probably on the low side since windows  (the most likely computer in a large botnet) rate limits half open tcp connections to roughly 10 per second, but lets assumpt mr botnet operator has removed that limit.

So you need to make roughly 40000000000000000000000000000 connections over the course of an hour at 65000 per computer. So you need 170940170940170 computers, or assuming each has a public ip address, about 39800 times the ipv4 address space. Hell lets work this out and say the botnet operator wants to go full force for a year, so then he only needs 468329235452 computers hitting our site for a year. Again that is *only* 109 times the size of the entire ipv4 address space. Using your 10 million computer botnet at 65000 requests per computer per second it would only take 1951 years to break.

So I assume you feel that all encryption is based on security through obscurity? I mean AES can be cracked if you have a big enough botnet and enough time too. Perhaps we should have all users visit the OkCupid offices and get a one time pad generated from a secure source of randomness so that we can generate unbreakable authlinks for them.

 

(Let me know if I screwed up the math anywhere, just knocked it out quickly using 'bc' and its possible that it doesn't handle numbers that large very well.)

twocs

May 21, 2010

erikok, note that I wrote: " This is a lot of attempts needed, so it seems reasonable that it wouldn't be easy to accomplish in this current era of Gigabytes." No need to keep harping on this.

Someone at OkCupid has decided that passwords are nonsense. That's up to OkCupid to manage the security, but the users are the potential victims. And claiming that OkCupid is too obscure to be a target is not true. And in a court case, OkCupid would need to prove that they take network security seriously, and don't come up with cockamamie plans for sneering at passwords (and cookies). Some ideas for tightening security:

1. Use SSL for Login Instantly (already implemented?)
2. Automatically block IPs that use a false Login Instantly address
3. Use a short (36-hour?) validity window for a Login Instantly address
4. Upon issuing a new Login Instantly address to a user through email, prevent that user's old Login Instantly from working
3. Require a password for login (in my mind preferable, since a private investigator that gains access to my email doesn't get carte blanche to my OkCupid account)

sfguyyy

May 21, 2010

 

Someone at OkCupid has decided that passwords are nonsense. 

 

And you base that big giant presumption on what?

 

And claiming that OkCupid is too obscure to be a target is not true.

 

I've already attempted to correct that other wild presumption of yours that has no foundation, but you keep acting like it's true just because you say so.

 

And in a court case, OkCupid would need to prove that they take network security seriously,

 

I sincerely doubt that you will find many (if any) court cases where someone has sued a website like OkCupid for "insufficient security" and won.  I certainly have never heard of such a case and I read news on this sort of topic daily.

 

 

phartizan

Jul 4, 2010

It's more convenient for me to log on instantly.

c3bbb4u

Nov 15, 2010

wow.  i forwarded an okcupid email i received to a friend, and then noticed that someone was logging in as me.  i changed my password and it happened again.  then i figured out that the "login instantly" link contains a password bypass key.  and i can't do anything about it!  so i deleted almost everything from my page.  i imagine that other users have forwarded okcupid emails and have inadvertently let others snoop on their sites.  

(1) can you change my login instantly link so my page is actually secure (u/n c3bbb)?

(2) you have to change that login instantly thing.  i understand that it makes it slightly easier to access the site, but at the price of a clear security compromise.  maybe you can at least have the link automatically enter the user name, but allowing a password bypass is crazy

sfguyyy

Nov 15, 2010

c3bbb4u: Steps have been made to make that system less problematic, though you are right that if you forward an email with login links on it (yanno, the ones that have the links that say: "login instantly") you create a problem for yourself.

Use the feedback link at the bottom of any page here to let the staff know about the issue, they may be able to de-authorize those links. Though they will stop working of their own accord after a while.

 

erikok

Nov 16, 2010

If you change your password it de-auths all links, I think.

 

I doubt that its going to be removed any time soon.

 

sfguyyy

Nov 16, 2010

^Didn't use to be the case, so if that is indeed true, that's a truly excellent development.

drl7x

Jun 19, 2011

Just wanted to add my $0.02.

It goes without saying that emails with login instantly links are very bad practice in terms of security. No other website that I know of has them so users are likely to be unaware of the danger of forwarding emails. (For example, facebook emails do not contain login instantly links so why would users expect OKcupid to be different.)

If you must insist on keeping log in instantly links in emails, at least do a better job of warning your users. For example, if remote images are turned off, users won't even see the words Login Instantly in the emails. Furthermore many emails contain absolutely no mention that they have login instantly links. For example, at minimum you could add a disclaimer to emails saying something like. "Warning this email contains links that allow direct access to your account without a password. We advise against forwarding this message."

kilki

Dec 27, 2011

Hello,

I forwarded an OKCupid notification email to a friend who then used that email to access my account (bypassing the need for a password) - he then contacted an exgirlfriend of his and did who knows what else.

I am a paying customer and I would like to know what my options are in preventing him from gaining further access to my account. 

Can someone lay out the options for me?  Currently it seems that I have 2:

a) let the person with access continue to use that one email anytime he likes to access my account or

b) delete my account and create a new one.

If those are my only 2 options, I am sad to say I will no longer be a paying customer to OKCupid.

 

sfguyyy

Dec 28, 2011

kilki: I don't believe that a person using an auth link can take over an account. You can't change the password on an account without either having the previous password, or at the very least having access to the email address used to create the account.

So just login to the account and change the password. The other person's ability to access it with the link should stop then.

You can also contact the staff via the "Contact" link at the bottom of any page here.

(PS: Make sure you use a STRONG password, that means no single common words, no names of your car, your dog, your city. Otherwise you'll end up like Sarah Palin who got her email broken into because she used her dog's name for her "security word")

 

islandsex

Dec 28, 2011

That's a documented issue, kiki. Nobody just cares to fix it.

Around the time of the PIFTS thing not too long ago, there was an incident where spammers on here would generate millions of auth links with a program and then have a bot go to them and see if they could log into someone's account. Then they would spam people with AFF links.

OKC staff never fixed it.. It went on for months. So if someone knows one url, they can log in to your account. It's f***ing ridiculous.

It used to be that they could get your password like that too, it was covered by stars, but if you went to 'view source', it would show it in plaintext.

There's basically nothing you can do. You can contact OKC all you want and you'll never get a response. Your only bet is to find a staffer's screenname and message him and hope he'll be compassionate enough to fix something for you.

Look out for sfgay, he pretends to work for okcupid, but he doesn't.

sfguyyy

Dec 29, 2011

 

...it was covered by stars...

 

Talking about your eyes again, I see.

 

islandsex

Dec 29, 2011

***** <-- stars, you f***ing troll.

sfguyyy

Dec 29, 2011

 

^Yes, those are your eyes up there.

The reason they are covered by stars is the same reason you have those sunglasses on in the profile pics: if you take them off, anyone who looks in your direction will turn to stone.

Chilling.

 

 

Post a comment