kilki

Dec 29, 2011

Hello, 

I am making this post because it is far from clear by reading this thread what to do if someone gets into your account via an email link.  I have NO idea why this is not on an OKCupid FAQ.

1)  If you forward email notifications to other people they will have access to your account.  Your account is wide open.  SO:  DON'T FORWARD ANY OKCUPID EMAIL TO OTHER PEOPLE.

2)  If you discover this problem and want to prevent further access you have 2 options:

a) change your password.  All the "log in instantly" links in the old email notifications become invalid and whoever was using them as a backdoor is now unable to access your account.  Please note that anyone using the backdoor will not be able to change your password as the old password is required in order to create a new password.

b) delete your account and create a new one.

Bottomline:  Hacked account?  -> Change your password.  

This is obvious if someone has gained entry via the password, but it is far from obvious if someone is using the notification emails to gain access to the OKCupid account.  

Lastly, a note to the OKCupid employees: this sort of information should not be in some obscure forum thread.  It should be in a FAQ and readily accessible.

slickrock78

Jan 31, 2012

It would be nice if this feature could be disabled on a per account basis.  Lots of people receive emails on their phones, and people misplace their cellphones often.  Id rather not have my account be so susceptible to anyone accessing it out of the blue.

kilki

Feb 1, 2012

I agree.  Opting In would be nice.  Especially if you are paying.

wirehead2501

Nov 6, 2012

Just want to add a +1 to this.  I am a freaking web developer and I just absent-mindedly forwarded one of these emails to someone I barely know without realizing I was giving him a backdoor into my account.  It's ridiculous that the emails don't have a huge disclaimer saying NEVER EVER FORWARD THEM.  It's ridiculous that what to do if this happens is not clearly documented in the FAQ.

BTW, I changed my password and this did seem to invalidate the link.  Would really love to be able to view my recent account activity though.  Would doubly love to be able to opt my account out of instant login emails without having to turn off notifications completely.

twocs

Nov 8, 2012

Maybe OkCupid could use a cookie, verified computer, or dual authentication. Auto-login is really handy but giving logins through inadvertant forwards seems... like WOW. Two years! Just tested it myself to check if they fixed this vulnerability, but still nope, OkCupid still has this Cross-Site Request Forgery vulnerability.

More on the CSRF vulnerability: http://tipstrickshack.blogspot.com.au/2012/10/how-to-exploit-csfr-vulnerabilitycsrf.html

And also see http://www.cgisecurity.com/csrf-faq.html#majorattack

twocs

Nov 8, 2012

Also found OkCupid CSRF insecurities mentioned in a hack presentation.


http://www.scribd.com/doc/47187898/Breaking-in-Through-Your-Website-s-Front-Door


The interesting point is "Developers and managers more excited about new features... less likely to think about resultant security issues."

Found another interesting OkCupid link:

http://www.okcupid.com/l/.5z3g7GdOrsBR.4ES9tYWlsYm94P2ZvbGRlcj0x.4gjPSlbL4YptQm5n5ACTq.6IPXVnPnZaa7TanrC1@hyUkhdgP8Q==

MsOtis

Nov 8, 2012

What does this mean?

I get notifications in my regular email if someone sends me a PM on OKC.

If I click on the link in the (email) notification from OKC, that instantly logs me into my OKC account, to read the entire message.

Is that the "forwarding" that's dangerous?

Or do you mean taking that notification email in my regular email account, and forwarding it to another person's regular email account?

 

Chaeddd

Nov 8, 2012

If you and your spouse use the same computer and don't use passwords, your spouse can look at your email and use the link to see what you have been up to. If you are just using the OKC forum, you should have nothing to hide, but if you are messaging people and looking for someone to commit adultery with your spouse could find out about it.

While people may use OKCupid for adultery, this is not a goal of the site. While you can use certain tricks to use OKC to cheat on your wife, OKC is not gonna make it easy to do this.

MsOtis

Nov 8, 2012

^ you sure know a lot about adultery. Is that what you're doing here? Are you married and looking?

Obviously, someone could link to my OKC account if they were sitting at my computer with that email open for view. Duh.

 

The question is about forwarding emails, and about being able to determine that someone's user name and password. Clicking on a link may connect you momentarily, but it won't give you my password.

How would someone get my password? Is it embedded in the background information of the email from OKC???

Chaeddd

Nov 8, 2012

Believe me, if its in there, they can find it.

sfguyyy

Nov 8, 2012

The link doesn't provide you with the password. But it does allow logging-in to the account.

You can certainly do damage to someone by having the ability to login as them, but you cannot change someone's PW without knowing the previous one, and if you suspect that someone has gained access via one of those links, changing your PW will block that from working going forward.

I agree they should at least warn people about the danger of forwarding such link-containing emails.

Then again, it says right there "login instantly" - so it would be not unlike warning someone that if they step off the roof of a 20-story building they might get injured.

 

Informavore

Nov 8, 2012

Or do you mean taking that notification email in my regular email account, and forwarding it to another person's regular email account?

This one.

Let's say that either you thoughtlessly forward a notification email to someone else, or I gain access to your computer and forward it to myself.  It means that anybody who has the link can log in as you without knowing your password.

Chaeddd

Nov 8, 2012

That's right. Any statement I have made that you found offensive, was actually made by someone who was able to log on as me and pretend to be me.

Post a comment