Hacker News new | past | comments | ask | show | jobs | submit login
How to boost your popularity on OkCupid using CSRF and a JSON type confusion (azuki.vip)
295 points by flipnotic 5 months ago | hide | past | favorite | 129 comments

> It also occurred to me that if I redirected my website to the CSRF link that automatically sent a message to me, I could see the OkCupid profiles of my website visitors who were logged into okcupid.com, which would make for an intense web analytics tool.


I learned recently that if someone forwards you the email that OKC sends them alerting them to a new message and you click on it you gain passwordless access to their account.

I contacted OKC about this but they said that it was not an issue.

Lots of sites do this, it’s a feature for the majority of users who prefer convenience over security.

I find that passwordless links usually expire after 1 use or some amount of time; generating eternal alt-passwords for an OkCupid account in every message notification email seems pretty heinous.

Gmail now pretty much breaks single-use tokens in links because it consumes them itself after a user clicks on them, but before redirecting the user to the site.

It's an unfortunate change that has made single-use links a worse UX and less popular in the last couple of years.

This sounds like it would break a bunch of email address verification systems, password recovery links and the like. I wonder if indeed it does break them, but since it only affects smaller websites nobody seems to care.

> "This sounds like it would break a bunch of email address verification systems, password recovery links and the like."

This is exactly the pain I've experienced with my own site, https://alchemist.camp

I've manually tested it and seen the token consumed when clicking the link via gmail but had no issues when copying the link from the password reset email to a gmail account. A second manual tester confirmed the same, as have multiple support cases.

Password recovery links sporadically fail for gmail users. I had to add extra instructions to copy and paste rather than click through the link and am in the process of moving away from single-use tokens because a lot of people still click before reading those instructions and email me for support.

My increased customer support burden isn't something Gmail PMs worry about, but they may whitelist some larger service's emails.

Instead of copy and paste you could have a POST form on your site to trigger the actual reset (with a hidden field pre-populated from the params of the email link). Gmail and others won’t touch it. They assume a GET is free from side effects and that it is safe to load your link because of that.

Why not make them 2 use tokens?

Not quite as secure, but way better than never expires?

Or after initial token use, set to expire after n seconds rather than immediately

That's exactly the approach I'm leaning towards using.

Or you could trigger an ajax call on the page that actually checks the token validity then redirect the user to a new password or a sorryexpired form.

Gmail may fetch the page but wont run the js on it.

Edit: this works for situations when spam filters fetch the links as soon as the mail arrives.

Yes, please ruin functionality without javascript for the sake of gmail's nosiness.

Comment about a form and PUT/POST is good - it will work by standards in any browser, even when gmail starts executing javascript. Add auto-submit on top javascript if preferred.

This isn't the case in my experience.

We have a tool that sends me an email with a single use link when it's used.

I just now confirmed that I receive the email containing the single-use link, that I can click on it and view the page, and that the single-use link is no longer available after I've viewed the link.

Is this perhaps conditional behavior of some sort?

Perhaps it’s 2-use?

It's not. It's a tool we developed, and I've confirmed that the resource at the link is fully destroyed after the first access.

Wow, can you theorize why they would build it that way?

They never expire. Source: am OKCupid user.

As mentioned in another comment: this is one of the reasons I laughed when they made a grab for everyone's phone numbers, claiming it was to prevent people from haxxoring your account.

This isn't ideal, but why would anyone forward this kind of email?

I might forward it to a friend to ask if that's the girl he dated last week, without meaning to give him passwordless access to my account.

A good way to know if he is really your friend ;)

The email itself could be intercepted, could it not?

I guess when an adversary knows about the feature and uses some social engineering against the user?

In order to get access to their... OkCupid account? Not sure that I care.

You might care if you were married and using OKCupid to find a girlfriend.

You may say that getting exposed for trying to have an affair is a good thing, but that's a still a reason why someone may care how secure their OKCupid activity is.

Certain sexual behaviours are outlawed in certain nations. And may result in death or long incarceration times.

In other nations, it may not be strictly illegal, but is more than enough information that, if publicly released, would result in death threats and other social pressures.

Everyone's got something to hide somewhere.

That's shocking! Really surprised that they don't see this as an issue, I would expect that it's trivial to social engineer someone into forwarding you one of those emails.

It also really takes the wind out of the sails of their whole "you must give us your phone number for security" song and dance and makes it clear the phone number was only for tying your username to your real world identity.

Maybe, but how much value is there in taking over people's OKCupid account?

Someone I knew once sent me an urgent direct message over Twitter that they were stranded in the City of London and needed me to wire money. Phone gone, computer stolen, they could only communicate by Twitter. Of course it wasn't actually my friend, but a 2-bit hacker. But if they were to collect enough accounts and message enough people, someone might bite. Maybe someone would give up something truly valuable if they really thought it was someone they cared about, a long lost son, or a pined-for ex.

If there's no value or downside to someone taking over my OKCupid account, why have a password on it in the first place?

This is a horrible take, obviously there’s different levels of security and risk associated with everything.

A horrible take on how much value is there in taking over people's OKCupid account?

If there's literally no value in taking it over, then why password protect it in the first place?

I have an online photo album and while I could password protect it and share the password with people that I want to share it with, there's very little value (perhaps there's some small social engineering value) in protecting it. If there's no value in exposing it, why bother password protecting it?

It's a bad take because you made it sound like I said it was worthless, when all I implied was that it isn't worth much. There's a difference.

I took your reply as meaning it has so little value that there's no reason to or even harm if someone takes it over.

Did you mean that it's valuable enough that someone should protect it, but shouldn't bother protecting it too much (like, anyone with the URL should have access to it) since it has little value? I'm not sure I really understand the nuance, but I'd be awfully surprised if I forwarded an email to someone from OKCupid and it gave them passwordless access to the account.

There is a huge market in romance scams and people lose huge amounts to it, most people are clever enough to spot them but many aren't. Now if you're able to intercept a genuine conversation it'd give you a good advantage.

Even at a lower level, just sending a bunch of messages asking for money for a cab/train/airfare might yield good returns. People let their guard down when there's a possibility of getting laid.

You'd be surprised, alot - but I'd wager it's easier to just save the photos and open up your own honeypot that way.

But the messages could be interesting.

The value is relative to motivation, I'd posit

The Data Protection Agency loves this weird trick!

I have no idea if OkCupid still does this, but they used to segment their users based on attractiveness ratings. At first, I think it was solely just literally your attractiveness rating. They had a feature where you could rate people 1-5 stars and if you were in the top 50% of all rated users, you'd only see other people in the top 50% in your search results. If you were lower 50%, you'd only see people in the lower 50%. I think they eventually made this more sophisticated by augmenting the explicit average star rating with other measures of engagement like how often people saved your profile, how many messages you received, and the rate at which your own messages were answered.

Something like this could have been valuable to get you into the upper tier.

The whole top vs bottom 50% attractiveness bit was a gag thing. It's such a common outraged-post topic that the okcupid subreddit has a FAQ about it in the sidebar.

OKCupid used to be substantially weirder than it was before it was swallowed up by IAC. I mean really fucking weird. One of many examples: the signout page had a clipart photo of an airport firefighter (ie silver suit head to toe) in a veeeeery suggestive pose with a firehose.

However, dating sites absolutely engage in the same techniques to hook users and reduce "churn" that free-to-play / cosmetic-sale-funded games do. Tinder is basically ELO applied to matchmaking coupled with the same psychological tricks (like initially showing your profile to much more attractive people / showing you much more attractive people, before dropping the liklihood of your profile appearing in anyone's stacks, and periodically re-boosting your profile just a tad to keep you from deleting your account.)

Edit just to say I forgot: why on earth is okcupid allowing links at all? Seems ripe for abuse. I guess it would encourage people to switch to off-site messaging quicker...

The FAQ says it's determined by likes. Not it was a gag.[1]

[1] https://www.reddit.com/r/OkCupid/wiki/faq#wiki_1._.22we_just...

Apparently it's been changed, and I guess the mod team is in on the gag, because it's just an anti-churn email.


The FAQ used to say the message was more common than you think.[1] But the message said you're among the most attractive people on OkCupid. Not just above median.

The article implied the message should say interesting not attractive maybe. But it implied the segmentation is real.

[1] http://web.archive.org/web/20130420011526/https://www.reddit...

I have no idea if it's a gag now, but they definitely used to actually do this. If you were around from the beginning, which I was (joined January 2004), you were very likely to end up in the top half when this first began. And you could trivially create a new account with otherwise identical details in the same location and see that your matches and search results were not the same people. After a few years, your new account would not just see different people, but noticeably uglier people.

OkCupid used to have real social features. You got a personal journal and could follow the journals of other users, and this clustered the sort of "power users" into cliques. This was actually how I met my wife, way back in 2007 though we didn't even live in the same state at the time and didn't physically meet until much later after discovering we'd both moved to Texas. Match axed the feature and we all moved to a Facebook group, but I've since quit Facebook, so only keep in touch with a limited number of people I had real contact details for whenever I happen to visit their cities for some reason.

This quite visibly split us. Knowing who in the group was top half and who in the group was bottom half was fodder for a whole lot of flame wars. And, of course, being it was a dating site, mate selection and the question of to what extent attractiveness can be objectively quantified was always a huge topic of contention. It's interesting to see so many years later how the split between the people taking distinct sides of that has evolved. Back then, those on the "objectively attractive" side of the coin were super into evo-psych, Austrian economics, and libertarianism. Those on the other side were quite a bit more varied, but I guess at least universally against the war in Iraq. 16 years later, the same people I still know have now segmented in extremely predictable ways, like anyone who really cared about Austrian school economics back then is now firmly red-pilled, anti-immigrant, super pro western-culture, into scientific racism and "human biodiversity" and somehow all migrated from libertarianism to backing classic right-wing nationalism complete with strong-man dictatorial leadership. The other side used to have a huge diversity of opinions on most things, but now all seem to universally be super into anti-racism, anti-fascism, and trans rights activism.

It's like the entire trajectory of what a person would ever come to believe as guiding principles upon which to base their lives was decided by a single trivial controversy with bad evidence in either direction that they nonetheless decided to take a hardline stance on decades ago.

With respect to the dating site techniques, I think it's important to distinguish between the OkCupid of today owned by IAC and the original OkCupid owned by Humor Rainbow. Match and IAC monetize using the same normal strategies of free to play games. But Humor Rainbow's strategy was to be the first to use fledgling big data techniques to fine-tune algorithmic matchmaking (in contrast to eHarmony's attempt to use conventional wisdom from the existing body of psychology knowledge), and then sell that technology to the highest bidder and cash out. The incentives of the current ownership and the incentives of the founders were quite different.

> Something like this could have been valuable to get you into the upper tier.

Only valuable until people view my profile picture.

Oh, someone that knows what they're doing photographically can help quite a bit there. A good professional portrait photographer has probably forgotten more tips and tricks to do with posing and lighting than the average Instagram professional ever knew.

Some people just take good pictures.

My sister was voted best looking at Redwood High School. The same school our governor graduated from. It was a hugh graduating class.

When she was younger, people used to tell her she should be a model. Well after watching Brook Shields endlessly she decided to give it a try.

She got my dad to fund a professional photo shoot. Something my cheapskate dad never forgot about.

Anyway, I always thought my sister was ascetically very pretty.

I thought she was a shoe in.

Well we got the photos, and it was a huge no.

While being literally breathtaking in person, so didn't photograph well.

Years later, I was with her husband while he went to a modeling addition. Every applicant's picture was taken at the door with a Polaroid.

I asked a photographer why. He stated some people just don't photograph well, and without that picture we would be wasting time.

Anyhoo--Personally I have never liked being photographed. Why--because I'm homely in life, and pictures just confirm it.

And then what? You score the date and rely on your awesome personality to make up not only for being physically disappointing, but having to some degree lied about it via a professional portrait photographer's tips and tricks?

And if all that works, you found someone who liked the look of a fake/augmented version of yourself, but whom you persuaded to like the real self anyway... Congratulations?

I think sometimes having a foot in the door helps anyways. Of course grossly misrepresenting yourself is a bad idea but enhancing a bit, why not? Also, it is indeed possible that your potential partners may value other aspects besides your appearance, not everyone is obsessed with looks. But of course your mileage may vary depending who you met in your life, and also based on where you live / local customs etc.

Then there is the issue of how you perceive yourself, when I was in my 20s and 30s I used to think of myself as not attractive, but now when I look back at my old photos from a more detached point of view, I think I was a fairly attractive young man. Excessive self criticism can be bad and artificially put you down.

After entering a "serious" relationship and then getting married in my 30s I was able to look at myself in a more balanced way. I think my previous self-criticism was fuelled by some vague fear that I would never find a partner and I would live a lonely life. Probably it's a common thought among people of that age.

I'd like to underpromise, but overdeliver - that's my motto!


Think of it more like ignoring job requirements when submitting your resume. Once you get an interview, that's all that matters.

Or rather, lying on your CV, claiming you meet the requirements; having someone who knows all the tips tricks and buzzwords edit it for you?

But hey, once you get an interview!

Maybe "interview" is a euphemism in this context?

> having to some degree lied about it via a professional portrait photographer's tips and tricks?

Those tips and tricks are no different in kind that what people do themselves, the only difference is knowledge.

> And if all that works, you found someone who liked the look of a fake/augmented version of yourself, but whom you persuaded to like the real self anyway... Congratulations?

Let's not act like first impressions have no meaning, and that getting around them doesn't have benefit and allow other traits or a more accurate impression to come through that wouldn't have gotten a chance otherwise.

Haven't you ever become friends with someone that you disliked or avoided to some degree initially because of some bad first impression?

It depends. If you have a good few textual exchanges that show you to be engaging, they may forgo some facial appearance shortcomings. So if the other person engages with good looking ones but those disappoint in their conversation but you do well in conversation, getting your foot in the door with the good photo of yourself could make the difference.

Sometimes people with good looks fail to cultivate other aspects of their person. An average looking person can take advantage of that by developing these other areas. But... you need that first opportunity.

There a few cognitive biases that can assist. People can become more attracted to someone simply by learning the other person was attracted to them. Also, the more time you spend with someone, the more attractive they will become.

Eventually, we’ll have glasses that can apply everyone’s preferred filter in real time

Being popular is a "sexy attribute" on its own, to many people.

They had a thing where if you dismissed the top attractive users they would segment you as attractive as well and bump you up to the upper tier.

> Something like this could have been valuable to get you into the upper tier.

Maybe not! Perhaps users would have more positive experiences if they "swam in their lanes."

It's probably better to be erroneously in the bottom tier than erroneously in the top tier for reasons that should be obvious.

All the dating apps use a derivative of this and you can game that. They deny any particular label like ELO, used in online game lobbies. But knowing how leveled game matchmaking works will allow you to optimize your experience in dating apps far greater than wondering if you need a picture of a dog in your profile to get more matches.

Hope you guys don't mess up my experience with this knowledge! But I’ve been using these tweaks for years, so I’ll probably be on to something else after this gets arbitraged away.

Any recommendations on where to learn how leveled game matchmaking works?

Not sure.

Basically you start as a baseline or perhaps an average, and your own behavior influences who you get matched with.

So in dating apps, matching indiscriminately in frustration to getting few matches will ensure you get thrown into the less attractive bucket. As you match with mostly other people already in that bucket. You can delay or prevent this from happening by being more discerning, not dissimilar from trying to chat up everyone in a cried. But you can get the algorithm to only show you other people considered attractive by a large population.

Note: if your ranking is too low, people you see are not actually seeing you. So they aren’t really expressing an opinion on accepting or rejecting you. So keep it high. Apps are different and they update alot, but just assume this is happening behind the scenes.

The sad or sadder part of this is to not match with unattractive people. Keep them in pending forever even if you rarely get matches. The algorithm also has to learn to show you to people that are widely considered attractive. Takes 3-7 weeks and then its a gravy train (in the cities), or time to reevaluate other aspects of your profile.

Its not really that complicated, just counterintuitive.

Last thing I’ll add is that attractive people have the same anxieties or “awesome personalities” or other attributes as unattractive people. So you can prioritize your time accordingly.

Why is this downvoted?

Ah, more than a decade ago I found a similar issue on Friendster (anyone remember them?), I could embed an HTML image tag in my profile which loaded a PHP script (under my control) that would redirect the user to something like friendster.com/poke?id=[my user id], so if anyone visited my profile, their browser would GET that URL and I'd get a "poke" (I don't remember the Friendster term for it), notifying me who visited my profile.

I didn't get many pokes, and I can't tell what part of this story is the saddest. Maybe the part that there probably weren't bounties back then (that I was aware of) and I didn't get any money for this discovery.

A version of this was (maybe still is?) possible with LinkedIn, where you could simply embed a LinkedIn profile in a hidden iframe and then use the “who viewed my profile” feature to see who viewed your site.

Modern browser security features do not allow such an iframe.

> Luckily the W3C deities gave us exactly such a gift in the form (pun intended) of the enctype attribute.

Minor quibble: enctype="text/plain" didn’t come from W3C. HTML 4.0 forms only defines enctype="application/x-www-form-urlencoded" (which pct-encodes the json delimiters {"":}) and enctype="multipart/form-data" (which has a non-json Boundary prefix) so if those were the only enctypes that browsers used, then this exploit would not have worked. https://www.w3.org/TR/html401/interact/forms.html#h-17.13.4

WHATWG HTML5 does define enctype="text/plain" behavior https://html.spec.whatwg.org/multipage/form-control-infrastr.... According to the mozilla docs, it was “Introduced by HTML5 for debugging purposes.” https://developer.mozilla.org/en-US/docs/Web/HTML/Element/fo... But I doubt it was created by WHATWG either; in 2004 the HTML5 editor Ian Hickson said “I agree it is brain-dead (it's IE-compatible)” https://lists.w3.org/Archives/Public/public-whatwg-archive/2... Unfortunately I can’t see history of the spec before 2006 though https://github.com/whatwg/html

I believe this also requires that OKCupid has not set the 'SameSite=lax' attribute on their cookies, which is good practice as well; the browser won't send the user's cookies on cross-origin POST, PUT, PATCH, or DELETE requests when this attribute is set.

So this exploit is really the confluence of failing to follow 2 standard security practices, as well as another unfortunate configuration quirk:

- Failing to set SameSite=lax on their session cookie attribute - Not using a CSRF token to authenticate on unsafe HTTP actions - Not checking the content-type of API requests (though I'm not sure to what extent this is considered bad practice)

I thought most modern browsers behave as if SameSite=Lax automatically these days. Were OkCupid deliberately setting SameSite=None on their cookies?

Wasn't lax just for static assets like images that are linked in external HTML?

Yes it was - "... are sent when a user is navigating to the origin site" https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Se...

... but in my experiments now I can't find a way to cause a SafeSite=Lax cookie to be sent from a POST request starting on another site: https://simonw.github.io/samesite-lax-demo/

Defaulting to SameSite=lax is a (relatively) recent development, as per the doc you linked.

Yes, I don't think cookies with SameSite=Lax will be sent to a cross-domain host when the request type is a POST, even when the navigation is top-level. Though they will for GET and HEAD.

Defaulting to SameSite=Lax has only been in Chrome since Feb of last year, and in Edge since October of last year. It has yet to land in Firefox or Safari.

Anecdote: OkCupid is the only website or app where I've had an account hijacked. I got it back with a password reset, but the profile and pics were filled with bogus content.

I had the same experience. My profile was transformed into a 50-year-old white male wearing a trucker hat without my knowledge. By the time I was able to access my account, it had a bunch of matches and messages from 50-60 year-old American women.

So how'd your dates go?

That's what I would say too ;)

Any idea what the intent was?

Not the person you're replying to, but: probably to use the account to romance-scam other users with.

Reminder of the classic "Mathematician Hacks OkCupid" story from a few years back:


Intriguing! I have a friend that did a web scraper on OK Cupid several years before that article, perhaps 2009, based on the same idea: people can see when you looked at their profile or something. He didn't optimize much beyond that and wasn't meeting people he considered attractive, he just wanted to have an additional pool of meetings and volume of hookups, which was successful.

Both he and the author of this story were able to warp the male experience in order to have many messages from women to sort though.

I find this one interesting as the author here was actually looking to have a relationship, and eventually proposed and removed himself from the pool. I hadn't seen anyone do a data driven approach for that. 88 first dates though, a lot of effort.

I'm somewhat familiar with LA, haha its sad he cut out the women from the east side due to distance because he's normally around UCLA. The east side women sounded pretty fun, younger, unencumbered but having suboptimal living environments. Which sounds about right for Los Angeles. Makes me kind of want to ponder if anyone has done two apartments in LA, westside and downtown.

This may be my favorite headline I have ever seen on Hacker News

Is it just me, or the images on the post are not loading?

Initially I tried on the most recent FF, and about half the images were not loading. Refreshed the page, no images were loading after that at all.

Then I tried on the most recent Chrome, images were not loading at all either.

If someone has a workaround, please let me know. I have confirmed that adblocker and such were all disabled.

Upon trying to access the images directly, I got this 403 error:

> Your client does not have permission to get URL /u/0/d/<rest-of-the-URL> from this server. (Client IP address: <my-ip-address>)

> Rate-limit exceeded. That’s all we know.

Not just you. On Edge Chromium and no images are loading.

Good to raise awareness as this issue has tripped up some of the biggest websites on the internet. I actually reported the exact same issue to amazon.com a few years ago. At one point it was possible to trick visitors into purchasing anything you wanted on amazon.com, including fake products you listed yourself or gift cards that you could send anywhere you wanted!

As someone who used to be so want active on the site and even tried out their paid subscription, I had the features of the paid subscription for years after I canceled my membership. They finally caught it and disabled them but it was pretty clearly a bug.

As the author mentions, simply validating the content-type would have been enough. CSRF is generally not a problem if you validate content-types and/or use SameSite for cookies, both of which have been recommended for years.

Would relying on CORS still work as long as the server checks that the type is actually application/json? Since those headers are impossible to set from a form, and doing it with fetch it would trigger a preflight request.

Historically, it would have been weak since Java/Flash gave you more control over sockets than what’s available with js. In today’s world, it might be ok. I would personally build defense in depth and not just rely on one weak property.

Business model is not letting you find your person, because if you do they lose a paying customer. Thats my thinking and why I’m not using dating websites.

I was talking about this exact thing with my girlfriend the other day. Tinder and other dating sites want you to stay as long as possible and spend as much money as possible with them. How do you do that?

Number one: You give them hope. Give people hope that they will find the person they are looking for if they stay on longer. Give people hope by helping facilitate a match just as they start to lose interest in the website. Make them think they will find someone.

Number two: Cultivate a culture of attractive people. Keep the attractive people staying. This gives hope for the unattractive people as they sometimes match with them. Keep the attractive people happy and help facilitate lots of meetings or them.

Number three: Provide an easy way to skip the whole attractive/unattractive hierarchy by letting people spend money. Now you too can get in on the action (but not for too long) if you have the money.

I realize this is a pessimistic view of dating sites. Heck, I met my current girlfriend of three years on OkCupid luckily. It's not all doom and gloom.

> It's not all doom and gloom.

Yep. They need it to work sometimes to stay competitive vs other websites. I guess it works as lottery draw, give only these 100 a proper match today

Haven't been single for a while - is OK cupid still a thing? I thought everyone used Tinder now.

Sort of. The thing is, a truly massive number of dating sites are owned by Match Group, which used to be part of IAC.

Bumble and Coffee Meets Bagel are two examples of major non-Match-Group companies.

My impression as a 30 year old het guy in SF is that the big 3 are Tinder/Bumble/Hinge, roughly sorted in order of "casual" to "serious relationship".

According to friends, OkCupid seems to be baaarely limping along in queer/poly circles.

They might be security wise rather weak, but their statistics blog is a brutal-beautiful view into what humans search for dating.


The official blog is the cleaned-up version, they removed the most interesting articles when they sold out to match.com

Famously, the article "Why You Should Never Pay For Online Dating" got deleted during the acquisition.

[1] Mirror: https://www.gwern.net/docs/psychology/okcupid/whyyoushouldne...

It's a good article, and one of the key takeaways:

If a dating site makes you pay to send messages, then they have an incentive to make you send messages to inactive accounts rather than active accounts, since people with inactive accounts have to pay in order to reply.

There were also articles that ran counter to popular gender theory/politics.

This is off memory but I believe their stats showed that men rated women's photos on what resembled a classic bell curve, shifted to the right slightly. Ie, dudes were generally reasonable if not a wee bit overly kind.

Women were exceptionally brutal in ranking men's looks. Women's ranking of men was a triple-diamond ski hill with damn near most of the userbase falling in (I believe, again, this is from memory) the bottom third. "Women are held to unrealistic beauty standards" seems to be more than a bit of projection.

Funny story: I got banned from OKCupid once for calling out other volunteer flagmods (people suckered into wasting their time policing OKCupid user photos for free) for body shaming and transphobia (the latter almost exclusively toward transfemmes, but both coming almost exclusively from white, straight women.) Hilarious.

Some "controversial" blog posts they deleted.

How men and women perceive attractiveness https://archive.is/489UV#selection-282.0-282.1

We finally answer the age-old question: should men keep their shirts on? https://archive.is/9fJQh#selection-282.0-282.1

We Experiment On Human Beings! https://archive.is/QNCbf#selection-278.0-278.1

How Your Race Affects The Messages You Get https://archive.is/kMP32#selection-278.0-278.1

Don’t Be Ugly By Accident! https://www.gwern.net/docs/psychology/okcupid/dontbeuglybyac...

More can be found here:


i'd love to pay for the substack of whoever wrote that blogpost, they have to be sitting on a mountain of unpublished insights.

What people say they sort on: personality, values, morals, political views, friendships, etc.

What people sort on when they don't think they're being observed: genes

If I'm remembering correctly, it was way more specific than that. The only genetic thing is there were some extreme racial biases. You really don't want to be an Asian man or a Black woman on a dating site.

But plenty of non-genetic things. Back when they let you list an income range, men with higher incomes got much better response rates. Men heavily favor women who are at least ten years younger than them. There were weirdly specific things about your photos that mattered, too, like you'd get a much better response rate if other people weren't in the photo with you, you'd get a better response rate if you weren't looking at the camera. Women were more attractive if they were smiling but men did better if they were not smiling.

Christian Rudder used to publish gold mines for anyone who wanted to just game hot-or-not. Plenty of this was stuff you could control, not genetic. Though I guess you can't exactly control your age even if it isn't genetic. It also let you sift through the lies, like women would always say they were turned off by shirtless pictures, but based purely on response rates, that definitely wasn't true for men who actually had lean bodies.

I haven't been on OkCupid in a long time. I think they first started publishing these data mining studies in maybe 2006? A lot of the old blog posts were purged after the Match purchase. I'm sure someone saved them off or they might still be on the wayback archive, but I don't even remember what the url for the blog was at this point and I doubt it's still even public. Your best bet at this point is probably just to read Dataclysm, the book Rudder ended up writing about all of his findings.

Interestng, have a link for the study? Can't seem to find it

Not OP, but https://www.gwern.net/docs/psychology/okcupid/raceandattract...

This talks about a follow-up study 5 years after the first one, searching "okcupid race and attraction" doesn't find me the link to the 2009 article.

I'm pretty sure 99% of people would openly agree that physical attraction is a core element of partner selection.

Not anymore, but before online dating people were hiding it much more

People were trying to hide that they actually want to be sexually attracted to their partner?...

To me (a not attractive man) yes. But I'm from Eastern Europe, the culture is different there.

Out of curiousity in terms of attractiveness and dating or choosing a partner, what do you feel is culturally different in Eastern Europe?

Generally non-US countries are lagging behind by a few years in dating culture. In Colombia for example I was already used for a foodie date (and some other girls have tried quite aggressively to go to dinner on the first date), but here in Eastern Europe it's not trendy yet. Younger girls are looking for equality based relationships, 30+ girls are looking for more traditional marriage.

OKCupid doesn't allow you to sort on anything anymore. It's all part of their business model of preventing people from creating permanent relationships. Yes, some slip through, don't @ me.

The way I see it, people sort on both genes (aka looks) and personality/values/morals/etc.

The thing is, by just scrolling through the feed/list of people to swipe on, you don't get to see much personality, mostly looks. To get to personality, you gotta talk to the person.

So when you swipe, you filter mostly by looks. And once you match and start talking, that's when you filter by personality.

Yes, one can say that you can get personality from their bio/profile, but that's such a non-consistent metric with tons of noise and misleading data (cliched/copypasted bio, nothing standing out, outdated bio, etc.). You need to have a conversation with a person to get a gauge of their real personality (of course, exceptions apply; if you see a profile/bio claiming that vaccines give kids autism and that the only valid covid treatment is essential oils, you kinda already have an idea who you are dealing with).

And out of all those people you spend a lot of time intensely reading thru profiles of before swiping, most of them won't even match with you. So imo, it makes sense to initially swipe based purely on looks and a 5-10 second glance at the profile, and then try to gauge their personality only after you match.

One of the founders published an excellent book that is an extension of the blog: https://www.goodreads.com/book/show/21480734-dataclysm

Wow, the in app questions are pretty politicised to say the least.

Is that something that really matters in dating these days?

Sadly a lot of their most interesting posts went away after they were acquired

Do people use OkCupid on the browser?

This would be unable if OkCupid stored its credentials in sessionStorage or localStorage instead of cookies, right?

With modern browsers, there are almost a dozen ways to defend against csrf. You can use sessionStorage and force all requests to be XHR. Set the “new” flag on session cookies to not transmit cross origin. Check the origin header for all POST requests. Set a token in the forms (the “classic” way).

This is so HN lol

Is this a type of inflation or a type of fraud or neither? Popularity is a made up category, or one that is ill defined while being manipulative. Popularity implies those most desired, but since this can be goosed by paying for attention, it is meaningless and hence let the hacking begin.

> I found you could use essentially the same vulnerability to get other users to “like” your profile. Obviously you could abuse this in order to match with anyone you could trick into clicking a link, or you could spam the link to a bunch of people to increase your profile’s rankings in whatever mysterious algorithm OkCupid uses to suggest people.

Ha! They should have used this to increase their evolutionary fitness!

Assumptions about matchmaking app algorithms are the crux of my behavior on dating apps. Far far greater influence than other users independent impression of my profile or me trying to put a best foot forward.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact