twocs Posted November 8, 2012 Share Posted November 8, 2012 A few years ago there was some thread about OkCupid's instant login cookies on their forums. Since then, they have kept the instant login feature but made it more difficult to brute force. Here is an example link that someone would receive in their inbox: Login Instantly! Looks long and hard to impersonate. But the really strange thing is that when I use this link in some proxies, then click any link, it will log me in as a different OkCupid user. It's really bizarre. Not sure what we are supposed to do about this kind of information, but like I said, they have known about it for 3 years already. Any ideas? Quote Link to comment Share on other sites More sharing options...
digip Posted November 8, 2012 Share Posted November 8, 2012 Instant login addresses, usually allow anyone to click them and login, and shouldn't be used by any companies, but also, when they do, they are supposed to be one time urls that when used, should be invalidated after that in the future. If that isn't the case, okCupid needs to be told of the flaw, or made public. Most likely they hash some sort of session data with the url that posts a login for the user, but that should in some way(you would think) be an associated hash that correlates to the end user, ie: their email address. Someone else obtaining the link though, through email interception, would be able to use the same link, since they have no way of knowing if you or the intended party read the email, so attacks like this would be possible, if they don't invalidate the link once its been used, or their invalidation sequence, only invalidates it for the first IP to use the link, so proxying, using a different IP, in fact may work if they aren't invalidating the URL as a one time use, and are only invalidating it for the first IP that clicked it. Thats a huge problem. Think or password reset emails for example. If sites allowed anyone to click and use them, and didn't invalidate the URL after first use, period, then anyone with a different IP would be able to continually re-use the same URL to change someones site password. Not good. Quote Link to comment Share on other sites More sharing options...
twocs Posted November 9, 2012 Author Share Posted November 9, 2012 (edited) Weird, the forum link doesn't work. Anyway, this problem was already discussed with OkCupid engineers in 2009, and they refused to remove the "feature". This is certainly not a one-time login. I've clicked on the Login Instantly link in lots of proxies around the world and it's still valid. Also, a google search for "site:http://www.okcupid.com/l" (the /l is for instant login) reveals a number of people's account logins that they must have posted to somewhere. Facebook just cancelled auto login that still required a password for security concerns. OkCupid's links don't even require a password. Edited November 9, 2012 by twocs Quote Link to comment Share on other sites More sharing options...
twocs Posted November 9, 2012 Author Share Posted November 9, 2012 Well, the login for OkCupid currently doesn't work, saying " Sorry, we're having technical difficulties right now. Check back later." Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.