OK Cupid Warning: Their "Instant Login" feature is a massive security hole.
OK Cupid regularly sends me a list of "Recent Matches", a collection of profiles they thing I'm a match with. Today my "Recent Matches" included my girlfriend. So I forwarded her the email, saying "OK Cupid seems to think we'd be a good couple."
She clicked on one of the profiles OK Cupid sent me, and found that she was logged into my OK Cupid account, with no request for my password, or any indication that she was logging out of her account and into mine, other than the "you are logged in as" indicator being different.
I googled the problem, and found an article from 2013 in The Verve which said that (a) this has been an issue since 2009, at least, (b) OK Cupid has been told this is a problem multiple times, but does not respond to emails about it, (c) the links work even after passwords get changed, but will eventually expire (when? who knows), and (d) people have been burned by posting the links on blogs or other public sites without knowing that they will log anyone into their account.
This is bad. There should not be magic links sent out without notice that will log anyone into someone's account. This should not be a known exploit for 5 years. This should not be considered a desired "feature' by OK Cupid.