A friend who recently started using OKCupid just forwarded me an email she got from the site, containing a funny message from a prospective suitor: "You seem nice. Would you like to do a date with me?"
I clicked on the message, curious to see if the sender was a sexy foreigner for whom English was a second language. Suddenly, I was in my friend's account, starting at all her read and unread messages. I could see her instant messages. I could edit her profile. Just because I had clicked on an email sent to her, OKCupid thought I was her.
OKCupid frequently emails its users new matches, prompts them to update their accounts, and sends them other links to the site. Those "login instantly" links include a token that logs in to the account...
via The Verge - All Posts http://www.theverge.com/2013/8/20/4639934/login-instantly-okcupids-gaping-security-hole-that-gives-full-account-no-password
No comments:
Post a Comment