OKCupid's Visitor API Provided Access to Users' Personal Information

Last year, dating app OKCupid removed the ability for its users to view who had visited their profiles, but a developer this week revealed that visitor data had still been available via OKCupid's Visitor API.

In a blog post, Zack Whipkey detailed how he was able to use okcupid's, an unofficial JavaScript wrapper for OKCupid's wrapper, to access detailed information about visitors to his OKCupid profile. This included data that was never displayed publicly and contained personally identifiable information, including exact birthdates. The data that was accessible also included location data and an indicator as to whether the location was set manually or using phone GPS.

Whipkey reported this to OKCupid on March 29 and to its credit, OKCupid quickly removed the ability to access the Visitor API. But the fact that detailed personal information had been available via an API that probably should have been retired when the Visitors feature was deprecated is bound to raise questions, especially given the discussion that is taking place around privacy and data protection in the wake of Facebook's Cambridge Analytica scandal.

We reached out to OKCupid for comment but had not received a response at the time of publication.

Be sure to read the next Security article: Microsoft Launches a Public Preview of a New Security API