RoboDate

URL contains commented out form: 

<!--
    <form action="/59ec1e5173d9cb794f1c29bc333f7327/login.py" method="POST">
        <lable for="username">Username:</label>
        <input id="username" name="username" placeholder="Username">
        <label for="status">Dating status:</label>
        <input id="status" name="status" placeholder="Single">
        <input value="Login" type="submit">
    </form>
-->

Submitting data to it takes you to a new page with an encoded URL: 

import requests
url = 'http://ec2-50-19-67-165.compute-1.amazonaws.com/59ec1e5173d9cb794f1c29bc333f7327/login.py'
data = {'username': "test", 'status': "Single"}
r = requests.post(url, data=data)
print r.headers

{'date': 'Thu, 03 May 2012 06:32:58 GMT', 'content-length': '0', 'content-type': 'text/x-python', 'location': 'frontpage.py?token=ddc66f74e01890fdfd0af88754241b1a22d242b2d81b5af96a80bbb3ef2b1f2474ae59c68fcac8baa0f60c95dd477c2f', 'server': 'Apache/2.2.16 (Debian)'}

Going to this URL gives a page with the following comment in it: 

    <!--
    debug info:

    user_data = test|Single|user
    key = Only admins can see the key.
    -->

If you change the first byte in the encoded URL, so that it is now this: 

frontpage.py?token=dec66f74e01890fdfd0af88754241b1a22d242b2d81b5af96a80bbb3ef2b1f2474ae59c68fcac8baa0f60c95dd477c2f

You get this comment: 

    <!--
    debug info:

    user_data = west|Single|user
    key = Only admins can see the key.
    -->

So, you can change the user_data string without any validation. Let's try XORing the encoded URL with the XOR between the string we had and the string we think we want: 

Original user data: test|Single|user
Wanted user data: tst|Single|admin

We don't want to change the length of the string because we don't know what's after it in the encrypted data. A quick python script: 

orig = "test|Single|user"
want = "tst|Single|admin"
encoded = "ddc66f74e01890fdfd0af88754241b1a22d242b2d81b5af96a80bbb3ef2b1f2474ae59c68fcac8baa0f60c95dd477c2f".decode("hex")
result = ""
for i in xrange(0, len(orig)):
    result += chr(ord(encoded[i]) ^ ord(orig[i]) ^ ord(want[i]))

result += encoded[len(result):]
print result.encode('hex')

ddc66f74e01890fdfd0af88754241b1a22d242b2d81b5af96a80bbb3ef2b1f2474ae59c68fcac8baa0f60c95dd477c2f

Submit this token and the comment changes, giving you the key: 

    <!--
    debug info:

    user_data = tst|Single|admin
    key = 2012-04-25_14:46:24.29582+05:27@2012%127.0.0.2_IS_BEST_KEY
    -->