Establishing Digital Trust: Don't Sacrifice Security for Convenience
As Ars Technica's Dan Goodin reports, the site uses an unprotected HTTP connection to transmit login credentials, allowing anyone on the same network to capture user names and passwords.
Bryner first noticed the flaw in early March 2015, though it's not clear how long the vulnerability was in place before then.
The flaw appears to be caused by a server configuration error that's redirecting all HTTPS traffic to HTTP. Bryner also observed that Match.com's sister site Chemistry.com appears to be doing the same thing.
On Twitter, Bryner called the issue "a litmus test for how we're doing with security awareness."
"And the answer is: not good," he wrote.
Rapid7 engineering manager Tod Beardsley told eSecurity Planet that the larger issue emerging from this vulnerability is that many of the users whose passwords were exposed are likely to have reused those same passwords on other sites.
"So while it might not be so useful to an attacker to seize control of someone's Match.com account, if that same or very similar password is used for those users' e-mail addresses, this gives an attacker an avenue into all of that user's personal accounts around the Internet, thanks to a password reset attack," Beardsley said.
And an email account can be a treasure trove for a hacker. "Many email services today discourage people from truly deleting old messages, so an attacker can first rummage through old welcome messages for various services," Beardsley said. "Once those services are identified, he can then go to those login pages, click, 'I forgot my password,' and get a password reset link delivered to the victim's email."
"From there, the password can be changed, and the attacker can do what he’d like, even on sites where the user is careful not to reuse passwords," Beardsley added.
"Match.com users should immediately consider their passwords compromised, and change them as soon as Match.com fixes the misconfiguration," Beardsley said. "If those passwords are reused, those credentials should also be considered compromised, and changed immediately."