The youth dating site OurTeenNetwork claims to be the “best rated teen dating and social networking site,” created “for the safety of online teen dating and socializing.” But despite those hefty claims and promises, until this week, anyone on the internet could read the private messages exchanged between users, and even impersonate them.
All you had to do snoop on anyone’s conversations was register to the site, and then guess a user’s unique identification number. As chance would have it, that wasn’t very hard at all.
Any user on the site is assigned a unique, non random ID, such as 16164, which was the one my test account got. The problem is that every private conversation uses those IDs, making a simple, guessable link such as ourteennetwork.com/conversation/ID1/ID2. Until this week, by guessing the ID numbers, any registered users could read other people’s messages, and even type new messages—effectively pretending to be either one of the users.
“Children absolutely deserve to be better protected online than this.”
What’s worse, this kind of attack could’ve easily been automated with a program designed to guess ID combinations and then download the conversation. This would have taken out the pain of manually guessing the right numbers, and would’ve exposed every user’s private messages, likely laying bare private information such as their real names, email addresses, as well as chat and social media accounts.
“Super simple to exploit and easy to automate, probably impacting the entire userbase in minutes or hours,” Jeremiah Grossman, a web security expert, told me.
An 18-year-old student who goes by the moniker Tonynoname alerted me of this issue last week. Tonynoname said that while testing the site, he was able to see several conversations of other users, some including information such as “phone numbers and long breakup messages.”
“You can send a message to anyone, from anyone!” Tonynoname told me at the time. “That’s a gaping security hole if people think they are having private conversations but aren’t really.” (I tested this myself, sending a message to my own account from Tonynoname’s account)
After he contacted the administrator of OurTeenNetwork and got no response, I reached out myself. A couple of days later, I finally heard back.
“Sorry, but I have 34 networks with 300.000 users, and I [do] not have investors or government help and is difficult,” Alexandre Mora Lopez, the administrator of OurTeenNetwork and a slew of other dating sites, told me in an email.
This week, Mora Lopez fixed the issue, making it impossible for any user to access other users’ conversations. Mora Lopez explained that OurTeenNetwork had this flaw “because I built the site in haste :(.”
“I bought the site a little time ago and it was a wreck,” he said in an email this week. “Nobody was using it. Slowly, I’ve been making it much better, and now it was around 10,000 users.”
Even before this week’s fix, however, the site promised security on its privacy disclaimer page. And the site still doesn’t use HTTPS web encryption, transmitting all data, including logins and passwords, completely in the clear.
“We are committed to ensuring that your information is secure. In order to prevent unauthorized access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.”
Problems like this are not unheard of on the web. In fact, the infamous hacker Weev took advantage of a similar flaw in an AT&T site to mine and reveal the email addresses of more than 100,000 iPad owners in 2010.
“The vast majority of websites out there have exploitable vulnerabilities and remain open for weeks or months on average. It’s sad, but true,” Grossman said, while adding that, however, “children absolutely deserve to be better protected online than this.”