Wow. Something is seriously wrong at SpeedDate, the online dating site that throws strangers into whirlwind 3 minute dates. For at least 30 minutes this evening (and possibly more), passwords were totally optional. Type in a user name (no password needed), hit “Log In”, and you had access to every private message, ‘flirt’, and buddy list available on the user’s profile. You could modify profile photos, bios, or whatever else you could find.
We’ve verified that the issue worked with at least five different accounts. One account didn’t work, the others went though without a hitch. Fortunately there isn’t a whole lot of damage you can do on the site beyond read or send private messages, but as far as security breaches go it doesn’t get much worse than this.
We’ve confirmed the problem with SpeedDate, who say it is now fixed (we held the story until they could address the issue to avoid further exploitation). SpeedDate says that the issue only affected a subset of users, though the number of accounts affected seems to have been substantial.
This isn’t the first time SpeedDate has been in hot water with users. Last year the site acquired a number of Facebook applications unrelated to dating, only to convert them to SpeedDate apps without the consent of users. It was also temporarily banned from Facebook entirely.
Thanks to Reece Schofield for the tip.