I learned recently that if someone forwards you the email that OKC sends them alerting them to a new message and you click on it you gain passwordless access to their account.

I contacted OKC about this but they said that it was not an issue.

Lots of sites do this, it’s a feature for the majority of users who prefer convenience over security.

I find that passwordless links usually expire after 1 use or some amount of time; generating eternal alt-passwords for an OkCupid account in every message notification email seems pretty heinous.

Gmail now pretty much breaks single-use tokens in links because it consumes them itself after a user clicks on them, but before redirecting the user to the site.

It's an unfortunate change that has made single-use links a worse UX and less popular in the last couple of years.

This sounds like it would break a bunch of email address verification systems, password recovery links and the like. I wonder if indeed it does break them, but since it only affects smaller websites nobody seems to care.

> "This sounds like it would break a bunch of email address verification systems, password recovery links and the like."

This is exactly the pain I've experienced with my own site, https://alchemist.camp

I've manually tested it and seen the token consumed when clicking the link via gmail but had no issues when copying the link from the password reset email to a gmail account. A second manual tester confirmed the same, as have multiple support cases.

Password recovery links sporadically fail for gmail users. I had to add extra instructions to copy and paste rather than click through the link and am in the process of moving away from single-use tokens because a lot of people still click before reading those instructions and email me for support.

My increased customer support burden isn't something Gmail PMs worry about, but they may whitelist some larger service's emails.

Instead of copy and paste you could have a POST form on your site to trigger the actual reset (with a hidden field pre-populated from the params of the email link). Gmail and others won’t touch it. They assume a GET is free from side effects and that it is safe to load your link because of that.

Why not make them 2 use tokens?

Not quite as secure, but way better than never expires?

Or after initial token use, set to expire after n seconds rather than immediately

That's exactly the approach I'm leaning towards using.

Or you could trigger an ajax call on the page that actually checks the token validity then redirect the user to a new password or a sorryexpired form.

Gmail may fetch the page but wont run the js on it.

Edit: this works for situations when spam filters fetch the links as soon as the mail arrives.

Yes, please ruin functionality without javascript for the sake of gmail's nosiness.

Comment about a form and PUT/POST is good - it will work by standards in any browser, even when gmail starts executing javascript. Add auto-submit on top javascript if preferred.

This isn't the case in my experience.

We have a tool that sends me an email with a single use link when it's used.

I just now confirmed that I receive the email containing the single-use link, that I can click on it and view the page, and that the single-use link is no longer available after I've viewed the link.

Is this perhaps conditional behavior of some sort?

Perhaps it’s 2-use?

It's not. It's a tool we developed, and I've confirmed that the resource at the link is fully destroyed after the first access.

Wow, can you theorize why they would build it that way?

They never expire. Source: am OKCupid user.

As mentioned in another comment: this is one of the reasons I laughed when they made a grab for everyone's phone numbers, claiming it was to prevent people from haxxoring your account.

This isn't ideal, but why would anyone forward this kind of email?

I might forward it to a friend to ask if that's the girl he dated last week, without meaning to give him passwordless access to my account.

A good way to know if he is really your friend ;)

The email itself could be intercepted, could it not?

I guess when an adversary knows about the feature and uses some social engineering against the user?

In order to get access to their... OkCupid account? Not sure that I care.

Imagine https://www.wired.com/2017/01/grinder-lawsuit-spoofed-accoun..., without the spoofing.

You might care if you were married and using OKCupid to find a girlfriend.

You may say that getting exposed for trying to have an affair is a good thing, but that's a still a reason why someone may care how secure their OKCupid activity is.

Certain sexual behaviours are outlawed in certain nations. And may result in death or long incarceration times.

In other nations, it may not be strictly illegal, but is more than enough information that, if publicly released, would result in death threats and other social pressures.

Everyone's got something to hide somewhere.

That's shocking! Really surprised that they don't see this as an issue, I would expect that it's trivial to social engineer someone into forwarding you one of those emails.

It also really takes the wind out of the sails of their whole "you must give us your phone number for security" song and dance and makes it clear the phone number was only for tying your username to your real world identity.

Someone I knew once sent me an urgent direct message over Twitter that they were stranded in the City of London and needed me to wire money. Phone gone, computer stolen, they could only communicate by Twitter. Of course it wasn't actually my friend, but a 2-bit hacker. But if they were to collect enough accounts and message enough people, someone might bite. Maybe someone would give up something truly valuable if they really thought it was someone they cared about, a long lost son, or a pined-for ex.

If there's no value or downside to someone taking over my OKCupid account, why have a password on it in the first place?

A horrible take on how much value is there in taking over people's OKCupid account?

If there's literally no value in taking it over, then why password protect it in the first place?

I have an online photo album and while I could password protect it and share the password with people that I want to share it with, there's very little value (perhaps there's some small social engineering value) in protecting it. If there's no value in exposing it, why bother password protecting it?

It's a bad take because you made it sound like I said it was worthless, when all I implied was that it isn't worth much. There's a difference.

I took your reply as meaning it has so little value that there's no reason to or even harm if someone takes it over.

Did you mean that it's valuable enough that someone should protect it, but shouldn't bother protecting it too much (like, anyone with the URL should have access to it) since it has little value? I'm not sure I really understand the nuance, but I'd be awfully surprised if I forwarded an email to someone from OKCupid and it gave them passwordless access to the account.

There is a huge market in romance scams and people lose huge amounts to it, most people are clever enough to spot them but many aren't. Now if you're able to intercept a genuine conversation it'd give you a good advantage.

Even at a lower level, just sending a bunch of messages asking for money for a cab/train/airfare might yield good returns. People let their guard down when there's a possibility of getting laid.

You'd be surprised, alot - but I'd wager it's easier to just save the photos and open up your own honeypot that way.

But the messages could be interesting.

The value is relative to motivation, I'd posit

The Data Protection Agency loves this weird trick!