Members of dating site Match.com, which has millions of subscribers across 25 countries, are at risk of having their passwords exposed. The website’s login page has had an error active for weeks, Ars Technica reports.
It’s because the Match.com login page doesn’t use HTTPS encryption to keep its users safe, Ars Technica explains. Put as simply as possible: HTTP is the data used by websites to transmit information online.
Companies such as Match.com should use encryption for data to protect passwords when users log in. On the front end of a website, you don’t see the inner workings of all this, but with the right tools, you can — and that’s where the passwords can be uncovered if websites don’t use the right security measures.
It’s been found that the Match.com website uses an unprotected HTTP connection to send and receive data over the web. It means that anyone can use something called a “packet analyser” to see what’s going on behind the scenes.
Ars Technica reporter Dan Goodin used a packet analyser called Wireshark to uncover the vulnerabilities in Match.com’s login page. He writes that he entered his email address and a password into the Match.com login page while using Wireshark, and saw his details exposed.
So if a keen dater decided to sign into his Match.com profile to scout for would-be lovers on a public network — a coffee shop, airport, etc. — and someone with a packet analyser tool was on the same network, they could steal the information needed to sign in.
Filmmaker Scott Bryner first spotted the ease at which a third party could get into someone’s dating profile on Match.com and said the error has been apparent since March. The website has failed to follow basic security practises and millions of members are said to still be in danger of having their passwords stolen.
We’ve emailed Match.com for comment and will update this post if it responds.