Match.com's security flaw puts millions of passwords at risk

A recently discovered security flaw in the Match.com website login page has put millions of users' password at risk, Ars Technica reported.

The flaw was discovered in early March, but is still active.“It's unclear exactly how long the site has failed to encrypt user credentials“, Ars Technica says.

The dating site Match.com does not use HTTPS security – it uses the older HTTP standard instead.

This means that the emails addresses and passwords of users logging into the site can be stolen by anyone on the same Wi-Fi network.

The flaw, which was first discovered by a reader of Ars Technica, means Match.com's website is using an unprotected HTTP connection to transmit the login data, allowing anyone to perform a man-in-the-middle attack, most simply performed by logging into the same Wi-Fi network as the victim, such as in a cafe or train station.

Ars Technica tested the flaw using Wireshark packet sniffing program, and managed to "steal“ the username and password from one of its colleagues.

"Had Match.com followed basic security practices and properly enabled HTTPS on the login page, the entire session would have been unintelligible to all but the end user and connecting server,“ says Ars Technica.

The person who first discovered the problem, Scott Bryner, took a screenshot which suggests Match.com is experiencing a server configuration error that's redirecting all HTTPS traffic to an HTTP connection.

Match.com has yet to comment on the matter.

The dating website is part of the Match Group, which includes OKCupid and smartphone dating app Tinder, and is owned by US media company InterActiveCorp.

UPDATE: Match.com has issued a statement saying: "Logging onto uk.match.com is secure as HTTPS has been in place for many years. Our members’ passwords cannot be detected via public WiFi networks because passwords are always sent through HTTPS."