Tech Crunch has found that the dating app has publicly exposed the personal data and private location data of its users at the time of security.
Exposed data included consumer display names, date of birth, dating and sexual preferences associated with raw app as well as consumer locations. Some of the location data included points that were specific to finding raw app users with the accuracy of the street level.
Ra, which was launched in 2023, is A dating app It claims that they offer more and more real interactions with others by asking users to upload daily selfie images. The company does not reveal how many users it has, but there are more than 500,000 Android notes in the listing of the app on the Google Play Store to date.
Security break news comes this week that Startup announces extension of its dating app, raw color, a hardware An inadvertently wearing device It claims that the app users gain AI-inflatory insights to their partner’s heart rate and other sensor data. AI-inflatory insights will be allowed to detect unfaithfulness.
In spite of it Ethical and ethical issues of tracking romantic partners And The dangers of emotional surveillanceRAW’s claims on his website and his privacy policy that his app, and his unmanaged device, use both. From the end to the end.A security feature that prevents anyone other than the user – including the company – from access to data.
When we tested the app this week, including the app’s network traffic analysis, the Tech Crunch found no evidence that the app uses encryption from the end. Instead, we realized that the app was spreading data about its users to anyone with a web browser.
RAW fixed the data exhibition on Wednesday, shortly after the Tech Crunch contacted the company with details of the bug.
“All previously exposed locations have been secured, and we have implemented additional safety measures to prevent similar issues in the future,” Marina Anderson, co -founder of the Raing app, told the Tech Crunch.
When asked for Tech Crunch, Anderson confirmed that the company did not conduct a third party security audit of its app, adding that it focuses on building a high quality product and having a meaningful engagement with our growing community. “
Anderson will not pledge to actively inform the affected users that their information has been exposed, but he said the company “will submit a detailed report to the relevant data protection authorities under applicable rules.”
It is not immediately known how long the app has been spreading publicly to its users’ data. Anderson said the company is still investigating the incident.
Regarding the claim that the app finally uses encryption, Anderson said that RAW “uses encryption in transit and enforces access to access to sensitive data within our infrastructure. Further measures will be clear after a thorough analysis of the situation.”
Anderson would not say this, when asked if the company intends to adjust its privacy policy, and Anderson did not respond to a follow -up email from the Tech Crunch.
How did we find exposed data
The Tech Crunch discovered the bug on Wednesday during a brief test of the app. As part of our test, we installed the Ra Dating app on the Virtualized Android device, which allows us to use the app without providing any real -world data, such as our physical location.
We developed a new user account with dummy data, such as name and date of birth, and to present our virtual device location as we are in a museum in California’s Mountain View. When the app requested the location of our virtual device, we allowed the app to access some meters to our exact location.
We used a network traffic analysis tool to monitor and inspect data inside and outside the raw app, which allowed us to understand how the app works and how the app is uploading data about its users.
The Tech Crunch discovered the data display within a few minutes of using the raw app. When we first loaded the app, we found that it was pulling the user’s profile information directly from the company’s servers, but that the server was not protecting the returned data with any verification.
In practice, this meant that anyone could access the web address of an exposed server using any other private information from any other private information. api.raw.app/users/ Then according to another app user, there is a unique number of 11 digits. Changing the digits to compatible with another user’s 11 digit identifier returned private information from this user’s profile, including their location data.
Such weakness is known as an unsafe direct object reference, or Idor, a type of bug that allows someone to access or edit data on someone else’s server due to lack of appropriate security checks on a user who accesses data.
As if We have already explainedIders worms are equivalent to keeping a private mailbox key, for example, but this key can unlock every other mailbox in the same street as well. In this way, idor worms can be easily exploited and in some cases it can be counted, which gives access to the record after user data records.
The US CyberScript Agency CISA has long warned of the dangers that exist, including the ability to access sensitive data in general, including the “scale”. As a part of it Saved by design The lead, the initiative, the move In 2023 Advisory That developers should ensure that their apps are examined properly and permission.
Since RAW has fixed the bug, the exposed server does not return the user data in the browser.