Hacker News new | past | comments | ask | show | jobs | submit login
OkCupid's “Removed” Visitor API (zdware.com)
185 points by zdware on Apr 9, 2018 | hide | past | web | favorite | 80 comments

About seven years ago I met my wife on OkCupid. The only reason why I messaged her back (after had messaging with her several months earlier) was because of the frontend visitor feature. She had visited my profile randomly again. Turns out she said she accidentally clicked on to my profile intended to see someone else.

I haven't used OkC since then, but I thought I'd share that in the context of this blog post ;-)

One day when you have kids, you can tell them "you are the result of a mistaken web click"

If, not when. Children are optional.

Pet peeve of mine, but too many people don't even think about it and just procreate because it's part of the Standard Life Script™.

> but too many people don't even think about it and just procreate because it's part of the Standard Life Script

As is their right, and not to mention biological imperative. Ironically, people not wanting kids, will be marginalized in the gene pool (assuming the trait is genetic). But yeah, overpopulation, unsustainable food needs, etc, etc. To paraphrase Dr. House, M.D. - "There are only two things people get stupid for - Money and Sex" :P

Well, the entire application is built with the purpose of guiding users into this choice. It's at the point where the longer you've run the application without procreating, the stronger the manipulation becomes.

Even people running the application in Gay Mode or loading other modules using the Gender Extension APIs run into this problem.

"When" can be conditional too :)

For the record, we have a one and half year old son :D

I have a similar story. My current girlfriend was living in another city about three hours away, I never would have seen her profile in my possible "matches" because I wasn't looking in that city. She did a search query for an author we both like, and my profile came up. If she didn't "visit" my profile and pique my interest I likely never would've met her! I'm sad to think that with the changes OKC have made recently (haven't used it since I met my GF obviously) people will have less luck finding people. They want to turn it into a Tinder clone.

That's pretty awesome!

The site has changed quite a bit then. Now you would of never been able to message her unless she "liked" you.

I dated on okc for a few years. I hate driving (LA) and so I frequently filtered my matches to 5 miles (if I recall that was the smallest radius).

5 miles in LA can be a long drive. So I wrote a chrome plugin to add additional drop down options of 0.1, 0.5 and 1 mile. I was surprised to see it work.

It was awesome.

There is also a hack to get the infamous “top X% of hottest people” feature unlocked... :)

yeah it was easy to modify it in the query string.

mind elaborating?

It wasn’t a parameter but a trick.

This is a little fucked up:

You go through their rating game where you can rate people 1 to 5 stars.

(Optional): You rate everyone you find attractive five stars no matter how attractive because you’re going to need a way to differentiate later...

Go through and rate a bunch of ugly people four stars. A shit load.

When you get rated four stars or higher you get a notification. Those people usually come back and rate you. Hopefully four stars or higher.

So now you’ve crowd sourced ugly people to say you’re good looking but that ugly person is never going to get the feature turned on for them because nobody else is saying they’re good looking.

Now you show up to the hottest people and the hottest people show up to you.

I’ve done this a few times over the years with burner accounts to test it and new accounts just because I canceled an old one.

It takes a few hours of rating unattractive people. I usually just did it flipping through on the toilet for about a week.

If you don’t care about keeping track of the five star people you can just write a script to four or five star people at random And let it run overnight.

This sounds like it shouldn't work:

- If it starts showing you to unusually attractive people wont those people rate you unusually low until you reach some equilibrium?

- I would expect any feature determining the top most attractive should use a weighting of the raters (like PageRank)

- I would expect OKC to try to be optimizing for total matches: that means they should have some system for "you rate a certain cluster of people unusually high, we should direct you to that set of people since the other people you rate high are already saturated"

Well, it does - or maybe I’m smoking hot baby boi.

I assume it probably wouldnt work for Sloth Fratelli.

I assume they mean the radius was a parameter in the URL so changing it was easy, e.g. replace &search_radius=5 with &search_radius=1.

What I'm asking is what parameter are they changing to look at the hottest people.

Okcupid has been going downhill for years. Four years ago you could get matches on there even if you were average looking that werent way below your league and actually interact with a ton of people. in 2018 it is mostly bots and you wont get meaningful interaction really anymore. The tinder looks bias is also literally enforced at this point (only see messages from profiles you look at, only messaging matches). They have totally lost their way.

"stalk_time" makes me feel very uncomfortable. Names matter.

The original name of the feature actually was "stalkers" — that's how it was presented to users before 2010 or so. The site had a lot of dark humor then. The word "stalk" also works as a clarifying synonym for "visit" in the code because "visit" could refer e.g. to the user's visit to the site itself.

The payload for the visitor API payload was an object containing an array whose key was `stalkers`, so still the same!

If it said "wash_time", then would you feel clean?

The thing that impresses me most is how quickly OkCupid removed public access to that API.

Eh, comment out a route and deploy.

That's all well and good for a tech demo, but things rarely seem to be that simple in systems as big/old as OkCupid. I guess this time, it was.

That's only true if there was nothing internally relying on it.

Whitelist internals and deploy?

It may be impressively fast or unimpressively simple. We won't know for sure.

Absolutely. But imagine e.g. a mobile app that uses that API. That's a harder change to propagate. That's pure speculation though, as you said. We have no idea.

edge route blocking doesn't take a deploy

Comment out and redeploy, fixing the other features is a lot less urgent issue.

Where does the „body type“ data come from? Do they ask you for your weight when you sign up?

You specify it as part of your profile. If you pay for A-List (paid plan), you can filter potential matches by body type.

Disclosure: Paying OKCupid customer. I don't mind paying to support the service, it's provided ongoing value to us.

I have to wonder how effective paying for a dating site really is. Presumably if you find a partner through the site you stop paying?

Aside from a token few they can blog about, what's their incentive to be successful?

I think their incentive to be successful is word-of-mouth advertising. I'd never considered online dating until both my aunt and a couple at work had success with it. I tried their service and also met someone I very nearly married.

Granted, I've never paid for a dating service. But the business model is much like Facebook's: get a bunch of free users to voluntarily give personal data about themselves, then sell that data to power users. There's a good degree of faith that online dating works in general (which is bolstered by successful matches), and some people are willing to pay for an advantage in finding someone (and in being found).

If you use it for (monogamous, long-term) dating, sure. OKC also supports short-term dating/hookups and polyamorous “looking for secondaries” use-cases, though, and such searches are indefinite—finding someone doesn’t make you any less interested in finding more someones.

OKCupid actually did a blog post about this, which they have since deleted. Here's a copy of it.


I don't think the fact that OkC now has paid features invalidates their (sadly deleted) blog post. With OkC, you can still match up with someone and accomplish what you intend to (finding dates/partners) without pulling out your credit card. Some of the paid features might (and might not) make it easier or more efficient to find a partner, but you don't need to pay them to get value out of the site. The argument in the blog post is against sites that require you to pay to do anything meaningful with the site, and I think that point holds.

The reason they deleted that blog post was because they were bought by Match.com

Not debating that; that's obviously the case, but really has nothing to do with the point I'm making.

It has nothing to do with paying vs free.

The issue is websites like match keeping profiles that are inactive or can't reply back.

"The issue is websites like match keeping profiles that are inactive or can't reply back."

I found Match to be very guilty of that. and on the app side, Bumble is the worst. Saw someone I knew from elsewhere on Bumble and I asked her about it. She seemed kind of surprised and said that she hadn't used it in almost a year. others have reported that too.. Bumble clearly leaves fake or abandoned profiles there for people to swipe on. it's very deceptive.

Depends on the relationship/partner goals. There are people looking for more short term situations which will probably keep them on the site.

But yeah for those interested in more long term relationships, that's what happens. I cancelled my subscription after I went exclusive with someone.

Consider the goals for a dating website. Finding "the one" is hard; there's just too many factors. Even if you could put all the data gathering on the web for that, how many people would want to do it?

However, if a site is enabling the user to meet more people (and the right kind), I think they're delivering the most value they realistically can.

Value is in the eye of the beholder...

Likely depends on the type of partner you're seeking/find.

Those who are seeking committed long term relationships, yes, likely cancel.

Those who are seeking short-term/multiple relationships and would like a revolving door of them... subscriptions continue to renew.

Probably has a lot to do with the price points between 'casual' dating sites/apps like Tinder and OKCupid compared to something 'more serious' like https://www.itsjustlunch.com/ - where it _starts_ at $2,800.

Fair point that! I must've been in a long-term relationship too long, other types of relationship were in my blind spot

How many lunches is $2,800?

Hopefully just one :)

> Presumably if you find a partner through the site you stop paying?

The dating niche that OKCupid has traditionally filled has been non-monogamous relationships of various stripes

I kept a subscription going because I was looking for people to have casual sex with and wanted to A) support the site, B) have more advanced search options, and C) see who's liking me (unpaid it's a blind match like Tinder to find out likes).

I figure most other paying people are either the same or looking to cancel their subscription once they find a long term partner.

If you're any successful, the subscription is negligible. Wait to see how much you spend for a pair of drinks on a first date.

It almost seems predatory. Nobody will be drawn to the paid version of OKC unless they weren't having success with the free version, and if someone wasn't having success with the free version then it's extremely unlikely that whatever is in the paid version is going to improve their chances.

There are always more people being born.

Their incentive to help you find mates is so that future people will join the platform due to you saying "OkCupid worked for me."

How well does that filter work when so many people lie to themselves about their body type?

I've seen too many 300+ lb women describe themselves as "average".

Works well. Folks are mostly honest, you’re going to meet in person eventually.

"""it's provided ongoing value to us"""

Is that a multi-user account? Or are you guys swingers or something?

Polyamorous couple. Swingers usually stick to lifestyle sites specific to that endeavor.

> However, they gave no answer for why unnecessary data was being provided.

I mean, it was obviously a bug, right? I imagine the only "explanation" would involve detailing the origin and nature of the bug which would be unwise until they've gone through all their other endpoints to ensure that there's not another instance of this same information leaking.

I don’t think that this was a bug. Most probably, they have those DTO objects for viewing and editing. In that scenario the correct thing to do would be to create a new DTO object that exposes only the necessary information, but this is an extra effort.

Obviously a hidden feature of OkCupid for matching security researchers.


Hey, thanks for reading.

The point I was trying to make is that we need to hold everyone to be accountable / secure. Just because no one is actively exploiting the data in a huge fashion (ie. Cambridge Analytica) doesn't mean it we should let go.

I'm terrible at following the news by the way :(

Don't waste your time feeding throwaway trolls.

good point!

How does this even happen?

How can the developers behind an endpoint like this not confirm/test that it requires permissions/authentication to consume? (I mean, look at all that data...)

Amateurs I can understand - but OKCupid has been around long enough they shouldn't be employing people of that nature.

Is there no code review process?

This is just nuts.

"Visitors" was actually a feature up until a few months back. They probably removed it from the front-end, but left it in the back-end. This is very, very common. There would be not much to "review."

I do appsec for a living now and it is amusing how few people question stuff. I have made a name in a small firm by finding something easy, but usually severe, and coaching coworkers who had no idea. Of them I one of the most junior, and we replaced security people from before and the most senior has been here 2-3 years. Some of the stuff I'm busy writing up has 5-10 precedence in the company and upsets lazy culture and repeat copy pasta.

And I will tell you on sprints where anyone is busy that team introduces something sloppy or nutty when one of us does not watch closely and ask, sometimes both. But when I point things out people are eager to roll it back.

Never attribute to evil that which comes from ... you get the idea!

It's easy to fall into this:

It works so no one complains.

It's certainly not outlandish that this happened. Have you never been employed as a programmer?

I am, and have been. That's why it's so outlandish to me - I keep user data in mind all the time. Finding out you're leaking sensitive personal data is a slippery slope I (nor my clients) want to go down.

Are you implying that it's not outlanding for professional programmers to not have these things in mind?

Data leaks like these happen with some frequency, which is why they are not outlandish.

> That's why it's so outlandish to me - I keep user data in mind all the time.

You keeping data in mind has no bearing on whether or not data leaks are outlandish. You don't seem to understand what the word means, tbh.

> Are you implying that it's not outlanding for professional programmers to not have these things in mind?

No, I directly implied that your real or feigned surprise at this happening makes it look like you don't understand the industry. If you're familiar with the industry it shouldn't be a surprise that this happens.

I can only speak for myself, having never worked for massive clients with deep pockets. I care more than my employers. "does spending time on that make moniez?" "I mean...." "Then no, let's do that cool loading spinner as it is all about user experience".

I never get it why people who discover secrets like these make extra sure nobody else can ever enjoy them again. Just use the undocumented feature and don't make a big thing out of it.

This way it's ruined for everybody, and they get nothing in return, except for some HN points on their blog post.

This is not an unintended feature - it is a gaping privacy gap. That data is not intended to be public, and is in fact dangerous when made public. It's _especially_ creepy that this detailed data is available to someone who has unsuccessfully interacted with you on a dating website. All that aside from this likely being against the terms & conditions provided by OkCupid, meaning their user's data was being used against the contractual limits.

There was no real-world case where this data was useful in a non-creepy way.

Don't know if you're sarcastic, but I prefer privacy related issues like this to be surfaced and would call it morally wrong not doing so.

There would be no privacy issues if the users did not give up that private data willingly in the first place. A-ok with random company on the internet having access to it, but suddenly other random parties exploiting it are "creepy"? It was being shared with advertisers and analytics providers anyway.

> It was being shared with advertisers and analytics providers anyway.

That doesn't make it acceptable in any way.

> it's ruined for everybody

I'd prefer that it was. This is clearly something that leaks personal information.

> ...and they get nothing in return, except for some HN points on their blog post.

And, you know, some increased measure of privacy.

For some odd reason people seem to be concerned about all the private data they (willingly) give to these corporations leaking outside of the corporation proper as if it's a violation of their (misplaced) trust or something. Lots of that going around recently for...reasons.

Not sure if sarcasm or stalker enthusiast

Why come out with an ad hominem? You could just say "data enthusiast" ("I like big datas and I cannot lie").

This sort of comment is in line with their post history so no, likely not sarcasm.

Who are you?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact