Tuesday, April 10, 2018

OkCupid’s “Removed” Visitor API

Zack Whipkey (via Hacker News):

She boasted about being able to use the now removed Visitor feature of OKCupid through their JSON API, polling it to see who was looking at her profile throughout the day. […] A few weeks ago, I hit the same API using okcupidjs, a library developed by Hung Tran, and I was floored at the data that provided.

[…]

On March 29th, I contacted OKCupid to report the issue, and asked why so much unnecessary data was being provided. OKCupid responded within 6 hours, telling me that they confirmed the issue and removed access to the visitor API endpoint. This is fast in the world of responsible disclosure, and I give them kudos. However, they gave no answer for why unnecessary data was being provided.

[…]

The statement “Your zip code will not be public” was blatantly false.

Comments RSS · Twitter

Leave a Comment