OT: Match.com's Message System Exposes Private "Outside" Email Addresses

Lisa Kachold lisakachold at obnosis.com
Thu Jun 25 08:05:14 MST 2009


<p>
Match.com, the popular paid online "secure" dating site, was found to
reveal private email addresses during messaging.</p>
<p>
Email Reply headers in the Messages reading pane reveal the "outside"
email of the dating parties to each other.  So my reading pane shows
clearly at the top of an email Match.com "Message" thread:</p>
<p>
Date: Wed, 24 Jun 2009 23:18:23 -0500</p><p>
From: obnosis at talkmatch.com</p><p>
To: pairaway at hotmail.com</p><p>
Subject: Match.com Message: RE: Itsadate</p><p>
</p>
<p>
So, I "obnosis at talkmatch" (obfuscated email Match.com only email
address) would immediately know that a man identified only by his
Match.com screen name, was really "pairaway at hotmail.com".  And
alternately he would also be able to see my outside email address in
his Messages reading pane.</p>
<p>
While at the same time, the bottom of the email Match.com "Message"
thread their application tacks on a nice DISCLAIMER:</p>
<pre>
------start------
Important tips: Protect your privacy

Our email system strips away your real email address so that the
recipient will NOT see it in the
From: line; however, you must...
	• Remove any mention of your email address from the body of your message.
• Remove or turn off any automatic signature at the end of your email.
• Avoid using Cc: or Bcc: to help protect your identity.
If you receive an email that you find offensive or contains
advertisements for products or services other than Match.com, please
forward the message immediately to abuse at cc.match.com.
If you no longer wish to receive communication from this person you
can block this user from further contact here.
	
	
DISCLAIMER
Match.com does not screen private email between members, nor are we
liable for the content of these messages. All members are bound by the
Match.com Service Agreement.
	
---end----
</pre>
<p>
Match.com was informed on June 25, 2009 with screenshots.  They have
yet to respond to this serious security application layer issue.</p>

Screenshot: http://www.obnosis.com/motivatebytruth/match_shows_outside_email.jpg
-- 
(503)754-4452 tribe.obnosis.com
scientology.obnosis.com
plug.obnosis.com


More information about the PLUG-discuss mailing list