
OkCupid's “Removed” Visitor API - zdware
https://zdware.com/2018/okcupid_removed_visitor_api/
======
brosner
About seven years ago I met my wife on OkCupid. The only reason why I messaged
her back (after had messaging with her several months earlier) was because of
the frontend visitor feature. She had visited my profile randomly again. Turns
out she said she accidentally clicked on to my profile intended to see someone
else.

I haven't used OkC since then, but I thought I'd share that in the context of
this blog post ;-)

~~~
alexandre_m
One day when you have kids, you can tell them "you are the result of a
mistaken web click"

~~~
Aaargh20318
If, not when. Children are optional.

Pet peeve of mine, but too many people don't even think about it and just
procreate because it's part of the Standard Life Script™.

~~~
ksk
> but too many people don't even think about it and just procreate because
> it's part of the Standard Life Script

As is their right, and not to mention biological imperative. Ironically,
people not wanting kids, will be marginalized in the gene pool (assuming the
trait is genetic). But yeah, overpopulation, unsustainable food needs, etc,
etc. To paraphrase Dr. House, M.D. - "There are only two things people get
stupid for - Money and Sex" :P

------
odammit
I dated on okc for a few years. I hate driving (LA) and so I frequently
filtered my matches to 5 miles (if I recall that was the smallest radius).

5 miles in LA can be a long drive. So I wrote a chrome plugin to add
additional drop down options of 0.1, 0.5 and 1 mile. I was surprised to see it
work.

It was awesome.

There is also a hack to get the infamous “top X% of hottest people” feature
unlocked... :)

~~~
swang
yeah it was easy to modify it in the query string.

~~~
Thriptic
mind elaborating?

~~~
odammit
It wasn’t a parameter but a trick.

This is a little fucked up:

You go through their rating game where you can rate people 1 to 5 stars.

(Optional): You rate everyone you find attractive five stars no matter how
attractive because you’re going to need a way to differentiate later...

Go through and rate a bunch of ugly people four stars. A shit load.

When you get rated four stars or higher you get a notification. Those people
usually come back and rate you. Hopefully four stars or higher.

So now you’ve crowd sourced ugly people to say you’re good looking but that
ugly person is never going to get the feature turned on for them because
nobody else is saying they’re good looking.

Now you show up to the hottest people and the hottest people show up to you.

I’ve done this a few times over the years with burner accounts to test it and
new accounts just because I canceled an old one.

It takes a few hours of rating unattractive people. I usually just did it
flipping through on the toilet for about a week.

If you don’t care about keeping track of the five star people you can just
write a script to four or five star people at random And let it run overnight.

~~~
esrauch
This sounds like it shouldn't work:

\- If it starts showing you to unusually attractive people wont those people
rate you unusually low until you reach some equilibrium?

\- I would expect any feature determining the top most attractive should use a
weighting of the raters (like PageRank)

\- I would expect OKC to try to be optimizing for total matches: that means
they should have some system for "you rate a certain cluster of people
unusually high, we should direct you to that set of people since the other
people you rate high are already saturated"

~~~
odammit
Well, it does - or maybe I’m smoking hot baby boi.

I assume it probably wouldnt work for Sloth Fratelli.

------
Madmallard
Okcupid has been going downhill for years. Four years ago you could get
matches on there even if you were average looking that werent way below your
league and actually interact with a ton of people. in 2018 it is mostly bots
and you wont get meaningful interaction really anymore. The tinder looks bias
is also literally enforced at this point (only see messages from profiles you
look at, only messaging matches). They have totally lost their way.

------
i386
"stalk_time" makes me feel very uncomfortable. Names matter.

~~~
goodside
The original name of the feature actually was "stalkers" — that's how it was
presented to users before 2010 or so. The site had a _lot_ of dark humor then.
The word "stalk" also works as a clarifying synonym for "visit" in the code
because "visit" could refer e.g. to the user's visit to the site itself.

~~~
zdware
The payload for the visitor API payload was an object containing an array
whose key was `stalkers`, so still the same!

------
CrowderSoup
The thing that impresses me most is how quickly OkCupid removed public access
to that API.

~~~
rhizome
Eh, comment out a route and deploy.

~~~
_asummers
That's only true if there was nothing internally relying on it.

~~~
Waterluvian
Whitelist internals and deploy?

It may be impressively fast or unimpressively simple. We won't know for sure.

~~~
_asummers
Absolutely. But imagine e.g. a mobile app that uses that API. That's a harder
change to propagate. That's pure speculation though, as you said. We have no
idea.

------
jakobegger
Where does the „body type“ data come from? Do they ask you for your weight
when you sign up?

~~~
toomuchtodo
You specify it as part of your profile. If you pay for A-List (paid plan), you
can filter potential matches by body type.

Disclosure: Paying OKCupid customer. I don't mind paying to support the
service, it's provided ongoing value to us.

~~~
corobo
I have to wonder how effective paying for a dating site really is. Presumably
if you find a partner through the site you stop paying?

Aside from a token few they can blog about, what's their incentive to be
successful?

~~~
ricksebak
OKCupid actually did a blog post about this, which they have since deleted.
Here's a copy of it.

[http://static.izs.me/why-you-should-never-pay-for-online-
dat...](http://static.izs.me/why-you-should-never-pay-for-online-dating.html)

~~~
kelnos
I don't think the fact that OkC now has paid features invalidates their (sadly
deleted) blog post. With OkC, you can still match up with someone and
accomplish what you intend to (finding dates/partners) without pulling out
your credit card. Some of the paid features might (and might not) make it
easier or more efficient to find a partner, but you don't need to pay them to
get value out of the site. The argument in the blog post is against sites that
require you to pay to do anything meaningful with the site, and I think that
point holds.

~~~
astura
The reason they deleted that blog post was because they were bought by
Match.com

~~~
kelnos
Not debating that; that's obviously the case, but really has nothing to do
with the point I'm making.

------
waisbrot
> However, they gave no answer for why unnecessary data was being provided.

I mean, it was obviously a bug, right? I imagine the only "explanation" would
involve detailing the origin and nature of the bug which would be unwise until
they've gone through all their other endpoints to ensure that there's not
another instance of this same information leaking.

~~~
notimetorelax
I don’t think that this was a bug. Most probably, they have those DTO objects
for viewing and editing. In that scenario the correct thing to do would be to
create a new DTO object that exposes only the necessary information, but this
is an extra effort.

------
nitwit005
Obviously a hidden feature of OkCupid for matching security researchers.

------
Implicated
How does this even happen?

How can the developers behind an endpoint like this not confirm/test that it
requires permissions/authentication to consume? (I mean, look at all that
data...)

Amateurs I can understand - but OKCupid has been around long enough they
shouldn't be employing people of that nature.

Is there no code review process?

This is just nuts.

~~~
tytytytytytytyt
It's certainly not outlandish that this happened. Have you never been employed
as a programmer?

~~~
Implicated
I am, and have been. That's why it's so outlandish to me - I keep user data in
mind all the time. Finding out you're leaking sensitive personal data is a
slippery slope I (nor my clients) want to go down.

Are you implying that it's not outlanding for professional programmers to not
have these things in mind?

~~~
tytytytytytytyt
Data leaks like these happen with some frequency, which is why they are not
outlandish.

> That's why it's so outlandish to me - I keep user data in mind all the time.

You keeping data in mind has no bearing on whether or not data leaks are
outlandish. You don't seem to understand what the word means, tbh.

> Are you implying that it's not outlanding for professional programmers to
> not have these things in mind?

No, I directly implied that your real or feigned surprise at this happening
makes it look like you don't understand the industry. If you're familiar with
the industry it shouldn't be a surprise that this happens.

------
nukeop
I never get it why people who discover secrets like these make extra sure
nobody else can ever enjoy them again. Just use the undocumented feature and
don't make a big thing out of it.

This way it's ruined for everybody, and they get nothing in return, except for
some HN points on their blog post.

~~~
reimertz
Don't know if you're sarcastic, but I prefer privacy related issues like this
to be surfaced and would call it morally wrong not doing so.

~~~
nukeop
There would be no privacy issues if the users did not give up that private
data willingly in the first place. A-ok with random company on the internet
having access to it, but suddenly other random parties exploiting it are
"creepy"? It was being shared with advertisers and analytics providers anyway.

~~~
saagarjha
> It was being shared with advertisers and analytics providers anyway.

That doesn't make it acceptable in any way.

