Internet dating site OKCupid uses an instant login feature and it’s proving to be a troublesome security hole for some users, reports The Verge.
It works like this: Whenever the site has cause to send you an email, links inside that email contain a unique identifier (called a token) that, upon clicking, will log you into your OKCupid account without prompting you for a password.
The trouble presents itself when people begin forwarding these emails or otherwise distributing these custom links. The Verge has several examples of these otherwise convenient emails causing trouble for people.
One instance saw a woman publicly blogging about an OKCupid user, including a link to his profile that she copied from her email. Until she caught the error and fixed it, anyone clicking that link would be logged in as her.
OKCupid did not immediately respond to request for comment, but we’ll update if we hear back.