More like blind fate —

OKCupid’s new blind date app not so blind thanks to data leak

Bug allowed access to birth dates, e-mail addresses.

OKCupid’s new blind date app not so blind thanks to data leak

Blind dates are already both exciting and terrifying—the former because you might meet your future soulmate, and the latter because your date might end up boiling your bunny. That's why a privacy bug in OKCupid's brand new app, Crazy Blind Date, was even more disturbing than usual, even though there's no evidence of that data having been accessed.

The app's goal is to anonymously match you with another dater in your area for, well, a blind date. But the app apparently made users' full e-mail addresses and birth dates easily accessible "to anyone with the right technical skills," the Wall Street Journal discovered, thereby voiding much of the app's benefit. Worse, the bug could be used to see the information of anyone nearby who had signed up to use the service—a blind date did not have to be arranged first—putting the personal information of all of the new app's users at risk.

According to the WSJ, the bug came from Crazy Blind Date's API. In addition to the e-mail addresses and birth dates, someone could use the API to grab a Crazy Blind Date user's ID and correlate it to his or her OKCupid profile, potentially finding more information on that person.

OKCupid fixed the hole immediately after being notified by the WSJ of its findings; a version 1.1 is already out on the App Store, and OKCupid CEO Sam Yagan says there's no evidence that the exploit was actually used. (There is also a version of this app for Android devices.) Still, the incident highlights how easily our information can be accessed through various online services, even when they advertise otherwise. Similarly, a recent FTC report found that numerous children's apps on the App Store collect and report personal information to a remote server, even when they explicitly claim that they don't in their privacy policies.

How do you deal with that as a potential online dater? My personal advice for those using Crazy Blind Date is the same for anyone who might be meeting up with strangers: use a separate, non-identifiable e-mail address to register your account, even if the service claims your e-mail won't be made public. It's also a good idea to fudge your birth date a little bit—subtracting 10 years might be a bit much, but moving the date by a few days could help to keep your info more obscure.

Channel Ars Technica