When news of a data leak in one of the dating portal’s custom APIs was disclosed to heise Security, the editors managed to reproduce the problem and access the data of a specially created test profile. The API disclosed information including the email address and password of the test user, which allowed access to the user’s profile.
Once logged in, the editors could have accessed any data, private messages and photos stored with the user profile. However, logging in wasn’t actually required to retrieve sensitive information – most of the data was already available through the API. Labels such as “sexuality”, “childrenNumber”, “schooling”, “yearlyIncome”, “relationshipTyp” or “searchOneNightStand” provide some idea of the havoc a malicious data thief could have wreaked with this information.
After heise Security informed meetOne co-founder Nils Henning, the vulnerability was closed within hours. Henning said that the “scope of the hole is limited” because “no sensitive data such as billing information was retrievable at any time”. The executive didn’t clarify why the company thought that information such as plaintext user passwords was not considered to be “sensitive data”.
The operators cannot guarantee that the hole has not been exploited in the past and say that they have “reset all passwords”. However, on checking at 7.30 pm on Wednesday evening, all passwords that were tested by heise Security were still functional. To be safe, users who have previously created a profile with this site should change their password – and, importantly, they should also change passwords on any other services where they may have used the same password.
Founded in Germany, the dating portal is now operated by US company meetOne International LLC. Nils Henning continues to work for Hamburg-based meetOne GmbH, a company that now regards itself as a service provider to the LLC and “mainly handles support tasks”.