Match.com is apparently putting the personal information of its 21.5m members at risk, because the site’s homepage page is not properly secured against hacking attempts.
This is according to Ars Technica, who were alerted to the security flaw by one of their readers, who discovered it in early March.
The site says Match.com does not use HTTPS encryption to protect its login page.
Ars Technica reporter Dan Goodin used the Wireshark sniffing program and entered his Match.com login and password details.
Goodin said: “Amazingly, the page uses an unprotected HTTP connection to transmit the data, allowing anyone with a man-in-the-middle vantage point–say, someone on the same public network as a Match.com user, a rogue ISP or telecom employee, or a state-sponsored spy–to pilfer the credentials.
“The lack of an unprotected HTTP connection to transmit information means anyone acting as a man-in-the-middle, such as on the same public network as a Match user, could potentially steal the user’s login information.”
It is unclear as to how long this has been a problem, and the reader who discovered the issue says Match is likely using a server configuration error that is redirecting all HTTPS traffic to an insecure HTTP connection.
Last year, eHarmony suffered a security breach which saw the personal information of their customers accessed.
The company sent an email to users saying that “an unauthorised third party improperly accessed” member accounts and personal details.