’s HTTP-only login page puts millions of passwords at risk

Tens of millions of subscribers risk having their site password exposed each time they sign in because the dating site doesn't use HTTPS encryption to protect its login page.

The screenshot above was taken Thursday afternoon. Showing a session from the Wireshark packet sniffing program, you can see that this reporter entered "[email protected]" and "secretpassword" into the user name and password fields of the login page.

Amazingly, the page uses an unprotected HTTP connection to transmit the data, allowing anyone with a man-in-the-middle vantage point—say, someone on the same public network as a user, a rogue ISP or telecom employee, or a state-sponsored spy—to pilfer the credentials. Had followed basic security practices and properly enabled HTTPS on the login page, the entire session would have been unintelligible to all but the end user and connecting server.

Read 1 remaining paragraphs | Comments