A few months ago, this Betabeat reporter jokingly created an OKCupid account on a whim with the username “ilovebitcoin” to solicit amusing messages from people who were shocked–shocked–to discover that ladies know about cryptocurrency, too. (“Think of all the randos who will want to message me!” she thought to herself one evening, feverishly pecking away on her keyboard all by her lonesome. “My life is awesome.”)
Indeed, the messages we received were oftentimes hilarious, so we’d occasionally forward them on to friends. What we didn’t realize, however, was that every time we forwarded an OKCupid email to someone, it gave that person direct access to our account–every silly message, chat and photo could be seen and even edited.
The Verge reports that this is the result of a system called “login instantly,” which allows users to access their accounts simply by clicking a link from an OKCupid email, without needing to sign in. The point is to make it as easy as possible to get into your account, but it also leads to a gaping security hole. Writes The Verge:
“Login instantly” is not new, but it’s an unusual choice for a social network, and a potentially alarming feature for a service that many users consider deeply personal. Furthermore, most users don’t seem to be aware of it. Those who are have been complaining since 2009 about how easy it is to accidentally give out full account access. OKCupid declined to comment on the practice.
Another example of login instantly gone terribly wrong occurred when a blogger was writing a post about an OKCupid user, and grabbed his profile link without realizing that her login key was attached to it. Anyone who clicked the link from her blog could ostensibly have access to her account, and while the token eventually expires, it takes long enough that her account could’ve easily been compromised.
Next time you want to make fun of a creepy message received on OKC, you’re way better off screenshotting it.