Skip to main content's security flaw puts millions of passwords at risk

A recently discovered security flaw in the website login page has put millions of users' password at risk, Ars Technica reported.

The flaw was discovered in early March, but is still active.“It's unclear exactly how long the site has failed to encrypt user credentials“, Ars Technica says.

The dating site does not use HTTPS security – it uses the older HTTP standard instead.

This means that the emails addresses and passwords of users logging into the site can be stolen by anyone on the same Wi-Fi network.

The flaw, which was first discovered by a reader of Ars Technica, means's website is using an unprotected HTTP connection to transmit the login data, allowing anyone to perform a man-in-the-middle attack, most simply performed by logging into the same Wi-Fi network as the victim, such as in a cafe or train station.

Ars Technica tested the flaw using Wireshark packet sniffing program, and managed to "steal“ the username and password from one of its colleagues.

"Had followed basic security practices and properly enabled HTTPS on the login page, the entire session would have been unintelligible to all but the end user and connecting server,“ says Ars Technica.

The person who first discovered the problem, Scott Bryner, took a screenshot which suggests is experiencing a server configuration error that's redirecting all HTTPS traffic to an HTTP connection. has yet to comment on the matter.

The dating website is part of the Match Group, which includes OKCupid and smartphone dating app Tinder, and is owned by US media company InterActiveCorp.

UPDATE: has issued a statement saying: "Logging onto is secure as HTTPS has been in place for many years. Our members’ passwords cannot be detected via public WiFi networks because passwords are always sent through HTTPS."

Sead is a freelance journalist with more than 15 years of experience in writing various types of content, from blogs, whitepapers, and reviews to ebooks, and many more, across sites including Al Jazeera Balkans, TechRadar Pro, IT Pro Portal, and CryptoNews.