A Security Lapse at Dating App Raw Publicly Expeded The Personal Data and Private Locations data of its users, techcrunch have found.
The exposed data including users ‘Display Names, Dates of Birth, Dating and Sexual Preferences Associated with the Raw App, as well as users’ location. Some of the location data including coordinates that were specific enough to locate raw app users with street-group accuracy.
Raw, which launched in 2023, is a dating app That claims to offer more genuine interactions with others in part by asking users to upload daily selfie photos. The company does not disclose how many users it has, but its app lasting on the google play store notes more than 500,000 android downloads to date.
News of the Security Lapse Comes in the Same Week That The Startup Announced A Hardware Extension of its Dating App, The Raw Ring, An Unreleased Wearable Device That it Claims will allow app users to track their partner’s heart rate and other sensor data to receive ai-generated insights, ostensibly to detect information.
Notwithstanding the Moral and ethical issues of tracking romantic partners and The risks of emotional surveillanceRaw claims on its website and in its privacy policy that its app, and its unreleased device, bot use end-to-end encryptionA security feature that preventes anyone other than the user – Including the company – from accessing the data.
When we triad the app this week, which included annalysis of the app’s network traffic, techcrunch found no evidence that the app uses end-to-end encryption. INTEAD, we found that app was publicly spilling data about its users to anyone with a web browser.
Raw Fixed the data extra on Wednsday, Shortly after techcrunch contacted the company with details of the bug.
“All Previous Expeded Endpoints Have Been Secured, and We’ve implemented additional safeguards to prevent Similar issues in the future,” Marina anderson, the Co-FOUNDER OF RAW DATING APP Techcrunch by email.
When asked by techcrunch, Anderson confirmed that the company had not performed a third-party security audit of its app, adding that its “focus remain Meaningfully with our growing Community. “
Anderson would not commit to proactively notified users that their information was experts Applicable regulations. “
It’s not immatively known how long the app was publicly spilling its users’ data. Anderson said that the company was still investigating the incident.
Regarding Its Claim That The App Uses End-to-Enc Encryption, Anderson said raw Steps will be clear after thoroughly analyzing the situation. ”
Anderson would not say, when asked, whether the company plans to adjust its privacy policy, Anderson did not respond to a prophet-up email from techcrunch.
How we found the exposed data
Techcrunch discovered the bug on wedding during a brief test of the app. As part of our test, we installed the raw dating app on a virtualized android device, which allows us to use the app without having to provide any real-speech data, such as our PHYSICAL LOCATION.
We Created a New User Account with Dummy Data, Such as a name and date of birth, and configured our virtual device’s location to appear as thought we were at a museum in mountain view, California. When the app requested our virtual device’s location, we allowed the app access to our priority location down to a few meters.
We used a network traffic analysis tool to monitor and inspect the data flowing in and out of the raw app, which allowed us to understand how the app works and dates of data the app was uplording about its.
Techcrunch discovered the data exposure within a few minutes of using the raw app. When we first loaded the app, we found that it was pulling the user’s profile information directly from the company’s servers, but that the server was not protecting the returned data with.
In Practice, That Meant Anyone Cold Access Any Other User’s Private Information by Using a Web Browser to Visit the Web Address of the Exposed Server – api.raw.app/users/ Followed by a Unique 11-Digit Number Corresponding to another app user. Changing the digits to correspond with any other user’s 11-DIGIT IDENTITIEF RETURNED Private Information from that User’s Profile, Including their location data.
This Kind of Vulnerability is Known as an Insecure Direct Object Reference, or Idor, A Type of Bug That Can Allow Someone to access or modify data on someone else of a lecquet Security checks on the user accessing the data.
As We’ve explained beforeIdor Bugs are akin to have a private mailbox, for example, but that key can also unlock every other mailbox on that Same Street. As such, Idor Bugs can be exploited with ease and in some cases enumerated, allowing access to record after record of user data.
Us Cybersecurity Agency Cisa has long warned of the risk that Idor Bugs Present, Including the ability to access typically sensitive data “At scale.” As part of its Secure by design Initiative, Cisa said in a 2023 advisory That developers should ensure their apps perform proper authentication and authorization checks.
Since Raw Fixed The Bug, The Expeded Server No Longer Returns User Data in the Browser.