Popular dating app leaked personal data of 1.5 million users
9 August 2019
3Fun, a popular dating app that allows “local kinky, open-minded people” to meet and interact with each other, was recently found exposing personal data and real-time locations of as many as 1.5 million users.
While the app offers privacy and secrecy to over a million users, security researchers at Pen Test Partners noted that the security credentials of the app are so poor that the app has “probably the worst security for any dating app” they’ve ever seen.
While analysing the dating app, the researchers found that the app actively leaked near real-time location of users, and exposed dates of birth, sexual preferences, chat history, and private pictures of users even if privacy settings were set.
Normally, the app discloses the latitude and longitude of a user but even if the user restricts the sending of such co-ordinates to other users, the command is filtered in the mobile app itself and not on the server. What this means is that anyone can query the app’s API for the position data of a user even if the user restricts the app from revealing the same.
This way, the researchers found active users of 3Fun located in the White House, at 10 Downing Street, as well as one at the US Supreme Court. They could also locate hundreds of active users with pin-point accuracy in major cities such as London, other cities in the UK, and in Washington DC.
3Fun dating app had no mechanism to protect users’ privacy
“Several dating apps including grindr have had user location disclosure issues before, through what is known as ‘trilateration’. This is where one takes advantage of the ‘distance from me’ feature in an app and fools it. By spoofing your GPS position and looking at the distances from the user, we get an exact position.
“But, 3fun is different. It just ‘leaks’ your position to the mobile app. It’s a whole order of magnitude less secure. It’s easy to track users in near real time, uncovering very personal information and photos,” the researchers said.
Commenting on the alarmingly poor security credentials of 3fun app, Justin Fox, director of DevOps engineering at NuData Security, said that hackers could have used the dating app to create profiles of the users with both typical profile information and physical location data of its users who are billed as kinky, open-minded people. This can be sensitive information that could be used for harassment and persecution of LGBTQ+ individuals.
“Due to the multiple security vulnerabilities in the application, researchers were able to manipulate their session details to change data attributes and collect profile information of other registered users. This is where a layered security approach that establishes a trusted device profile is critical to providing a better consumer experience that validates the device and prevents attribute spoofing.
“The experience is frictionless to most consumers (as long as they don’t show signs of risk, there is no need for additional authentication) while it mitigates the risk organisations face such as spoofed or manipulated device intelligence data. It’s important to foster inclusion and diversity in all environments – acceptance matters,” he added.