Wow. Something is seriously wrong at SpeedDate, the online dating site that throws strangers into whirlwind 3 minute dates. For at least 30 minutes this evening (and possibly more), passwords were totally optional. Type in a user name (no password needed), hit “Log In”, and you had access to every private message, ‘flirt’, and buddy list available on the user’s profile. You could modify profile photos, bios, or whatever else you could find.
We’ve verified that the issue worked with at least five different accounts. One account didn’t work, the others went though without a hitch. Fortunately there isn’t a whole lot of damage you can do on the site beyond read or send private messages, but as far as security breaches go it doesn’t get much worse than this.
We’ve confirmed the problem with SpeedDate, who say it is now fixed (we held the story until they could address the issue to avoid further exploitation). SpeedDate says that the issue only affected a subset of users, though the number of accounts affected seems to have been substantial.
This isn’t the first time SpeedDate has been in hot water with users. Last year the site acquired a number of Facebook applications unrelated to dating, only to convert them to SpeedDate apps without the consent of users. It was also temporarily banned from Facebook entirely.
Thanks to Reece Schofield for the tip.
Oh, you’re lucky I didn’t get a screen shot off
Don’t be an idiot.
I agree. This is crazy.
Wohhhhhow, those guys are a lil too relaxed with their QC and the FB apps business from last year sound fishy. I am married but If I’d be on the ‘market’ I’d stay away.
If this is true story, apparently speeddate.com was the result of speed programming without using conventional Web authentication mechanism built-in, which has not chance of having such leak for a single moment.
http://kisalink.com/c08f21d/
Even moreso, I can’t believe anyone would voluntarily sign up with these punks and give them any personal info.
http://kisalt.net/fb
I would guess the implementation was just simply receive user/pwd pair then query the user table of the database to find a match. I would suspect the site was an easy target of SQL injection as well.
http://xrl.us/jugargame
That’s crazy.
Amazed how this company is still in business. This is just mockery of user privacy and trust.
i agree. this is bad as it can get . .
If this is true story, apparently speeddate.com was the result of speed programming without using conventional Web authentication mechanism built-in, which has not chance of having such leak for a single moment.
I would guess the implementation was just simply receive user/pwd pair then query the user table of the database to find a match. I would suspect the site was an easy target of SQL injection as well.
To me it sounds like they rolled an update and may have inadvertently added the flaw. Perhaps a lazy coder stubbed out authentication in the development environment, forgot to switch things back before checking into version control, and swapped out the production code with the flawed code without realizing what had been done.
These guys are brutal. Underhanded dirty little spammers. I can’t believe FB didn’t ban them for life.
Even moreso, I can’t believe anyone would voluntarily sign up with these punks and give them any personal info.
They should not be covered on TechCrunch as a Web 2.0 startup – they are scumbags and their practices are not in the spirit of the Social Web.
Agreed… except they should be mentioned as a risk.
I got “tricked” into joining them through FB last year… by what looked like an invitation from a known friend to something that was NOT SpeedDate.
This is the best online dating site and it’s free:
http://www.facelovefinder.com
Domain name FAIL.
very bad user Usability
http://kisalt.us/590/ very good
whew, speeddate has got to be one the most dubious companies out there – they bait and switch FB apps to get users and now this…
anyone who signs up for their service is an idiot.
This year they are converting My Starbucks Facebook App to SpeedDate. At some point, I thought somebody hacked into My Starbucks app. They have to be permanently banned from Facebook as this is a totally unfair business practice!
is sissy ass spit boy coming back to work??
ytyutu
this is not good.
Makes you wonder if, where and how they are storing and protecting subscriber payment details. Time for an audit perhaps…
It’s hard to believe these people are still around, seemingly with a fairly big userbase. After their bait and switch scam, sorry I mean issue, last year I would have hoped they would just go away.
I think it’s fairly obvious I am not a SpeedDate user, considering the history I have with them, but I do know one or two people who do use it despite my warnings.
It’s worth noting that I’m still waiting for SpeedDate.com to post a reply to the comments on my original blog post from September.
The number one aspect of any site is security.
Passwords? We no need no stinkin’ passwords!
This is SpeedDate, for crying out loud… too much time for passwords.
Passwords are so, like, 2006 anyway. Who needs ‘em?
Sad indeed…would you trust a site like this with your payment details?
Maybe they’ll use it as their new marketing slogan;
“our users are more ‘exposed’ than any other dating site”
I reviewed this site when speaking to a recruiter and had to “date” a few rounds to give my thoughts.
Aside from the security issues, the experience really, really sucks. However, I am sure Speeddate will disagree. But still, it sucks more than anything I’ve seen in years. No lie! I’ve never been so interrupted with inappropriate pop-up notices.
I read this and went to see if I ever closed that account I registered under a fake everything.
Even closing the account sucks. Really! I was told to deactivate & clicked the button. Then I was asked to give feedback on what I like and don’t like about Speed date, so I gave a one line answer. Then, the interface told me my answer was too short and refused to “deactivate” the account. What? Requesting to deactivate and providing an answer to a question is not enough? My answer is not long enough?
Well, all I have to say is …
It really
ssssssssssss
uuuuuuuuuu
cccccccccccc
kkkkkkkkkkk
sssssssssssss
!!!!!!!!!!!!!!!!!!!
what a good domain. what a waste. what-a-waste!
yes, they call it a new set of features:
free login
free impersonating
Guys, cool down. People make mistakes, admittedly this one is pretty nasty, but even Google let that infamous / slip by their QA process.
There’s almost nothing good to say about these guys. I was checking them out and without my permission they grabbed my entire AOL directory and spammed them over and over. In fact, its still happening… even when my friends and family unsubscribe. And for my unfortunate friends who clicked that “yes” they knew me… their entire directories are now also getting spammed. Stay away from this site. Its one of the worst offenders I have ever seen.
We’ll see if any civil suits come their way. Anybody affected would certainly be smart to publicize the effect of this failure on them.