Jump to content

Login instantly link received in an email


twocs

Recommended Posts

A few years ago there was some thread about OkCupid's instant login cookies on their forums. Since then, they have kept the instant login feature but made it more difficult to brute force.

Here is an example link that someone would receive in their inbox: Login Instantly!

Looks long and hard to impersonate. But the really strange thing is that when I use this link in some proxies, then click any link, it will log me in as a different OkCupid user. It's really bizarre. Not sure what we are supposed to do about this kind of information, but like I said, they have known about it for 3 years already. Any ideas?

Link to comment
Share on other sites

Instant login addresses, usually allow anyone to click them and login, and shouldn't be used by any companies, but also, when they do, they are supposed to be one time urls that when used, should be invalidated after that in the future. If that isn't the case, okCupid needs to be told of the flaw, or made public. Most likely they hash some sort of session data with the url that posts a login for the user, but that should in some way(you would think) be an associated hash that correlates to the end user, ie: their email address. Someone else obtaining the link though, through email interception, would be able to use the same link, since they have no way of knowing if you or the intended party read the email, so attacks like this would be possible, if they don't invalidate the link once its been used, or their invalidation sequence, only invalidates it for the first IP to use the link, so proxying, using a different IP, in fact may work if they aren't invalidating the URL as a one time use, and are only invalidating it for the first IP that clicked it. Thats a huge problem. Think or password reset emails for example. If sites allowed anyone to click and use them, and didn't invalidate the URL after first use, period, then anyone with a different IP would be able to continually re-use the same URL to change someones site password. Not good.

Link to comment
Share on other sites

Weird, the forum link doesn't work. Anyway, this problem was already discussed with OkCupid engineers in 2009, and they refused to remove the "feature".

This is certainly not a one-time login. I've clicked on the Login Instantly link in lots of proxies around the world and it's still valid.

Also, a google search for "site:http://www.okcupid.com/l" (the /l is for instant login) reveals a number of people's account logins that they must have posted to somewhere.

Facebook just cancelled auto login that still required a password for security concerns. OkCupid's links don't even require a password.

Edited by twocs
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...