OkCupid's Blind Dates Not So Blind, Thanks To Revealing App Bug
Blind dates can be both exciting and scary, because you never know who you're going to meet and how it could turn out.
Some people have found their soulmates through blind dates, others have just found new targets for a restraining order. Either way, OkCupid wants people to have an easy way to set up blind dates, and has launched a new mobile app called Crazy Blind Date.
The really crazy part about this Crazy Blind Date app is that it's not so blind anymore. The app aims to make things simple - a user names a time and place and the app finds a suitable blind date.
As the Wall Street Journal found out, however, the app's software took the blind out of blind dates and made users' full birth dates and e-mail addresses accessible "to anyone with the right technical skills."
When anonymity stands at the very core of a service, such a glitch can prove to be a huge problem. Moreover, one could also exploit the app bug to see the information of people nearby who had signed up to use the service.
According to the Wall Street Journal, the bug occurred in Crazy Blind Date's Application Programming Interface (API). Not only were the e-mail addresses and birth dates accessible, but one could also use the API to take an app user's ID and correlate it to their own OkCupid Profile, which could potentially reveal more information on that user.
OkCupid patched the security hole immediately after the WSJ notified it of the issue and a version 1.1 of the Crazy Blind Date app is already available in the App Store. The app is available for Android as well. OkCupid CEO Sam Yagan told the WSJ that his company found no evidence of anyone exploiting the glitch. Even so, the bug still raises a red flag over how easily one's information could be accessed through such online services, even if the app claims otherwise.
With the glitch fixed, the app's API now provides just the user's ID, first name, gender, desired date's gender, and profile photo. E-mail addresses and full birth dates are no longer accessible.