A safety omission on the dating app publicly exposed its users’ personal data and private location data, Techcrunch has found.
The exposed data included users ‘performance names, date of birth, dating and sexual preferences associated with raw apps, as well as users’ locations. Some of the location data included coordinates that were specific to detect raw app users with road-level accuracy.
RAW, which was launched in 2023, is a dating app that claims to offer more real conversations with others by asking users to upload daily selfie photos. The company does not state how many users it have, but its app notes to download more than 500,000 Android in listing on Google Play Store.
The news of the security lapse comes in the same week that the startup announces its dating app, The Raw Ring, A. of A. of A. Unpounted weelable equipment This claims that the app will allow users to track their partner’s heart rate and other sensor data, which is to achieve AI-borne insight to detect infidelity.
Despite the moral and moral issues of tracking romantic partners and Emotional surveillance riskRaw claims on its website and in his privacy policy that its app, and its unpublished device, use both end-to-end encryption, a safety feature that prevents anyone other than the user-from reaching the company including a company.
When we tried the app this week, including analysis of the network’s network traffic, Techcrunch found no evidence that the app uses end-to-end encryption. Instead, we found that the app was publicly spreading data with any web browser about its users.
RAW set data exposure on Wednesday, when Techcrunch approached the company with a bug details.
Raw Dating app co-founder, Marina Anderson said,
Asked by Techcrunch, Anderson confirmed that the company did not demonstrate the third party security audit, saying that it is “focus on the manufacture of a high quality product and to make it meaningfully confusing with our growing community.”
Anderson would not be committed to constantly inform the affected users that their information was revealed, but said the company would submit a detailed report to the relevant data protection officers under the applied rules. “
It is not immediately known how long the app was publicly spreading the data of its users. Anderson said the company was still investigating the incident.
Regarding his claim that the app uses end-to-end encryption, Anderson said Raw “uses encryption in transit and applies access control to sensitive data within our infrastructure. The further steps will become clear after a thorough analysis of the situation.”
Anderson would not say that when asked if the company is planning to accommodate its privacy policy, and Anderson did not respond to a follow -up email from Techcrunch.
How we got the data exposed
Techcrunch on Wednesday discovered the bug during a brief test of the app. As part of our test, we installed a rat dating app on an eternal Android device, which allows us to use the app without providing any real -world data, such as our physical place.
We created a new user account with dummy data, such as a name and date of birth, and the location of our virtual device was configured as we were in a museum in Mountain View, California. When the app requested the location of our virtual device, we allowed the app to reach our exact location a few meters.
We used a network traffic analysis tool to monitor and inspect the data flowing inside and out of the raw app, allowing us to understand how the app works and what type of data the app was uploaded to its users.
Techcrunch discovered data exposure within a few minutes of using the raw app. When we first loaded the app, we found that it was pulling the user’s profile information directly from the company’s server, but this server was not protecting the data returned with any authentication.
In practice, this means that anyone can use the personal information of another user to go to the web address of the exposed server using the web browser – api.raw.app/users/ Another app corresponds to a unique 11-conductive number to the user. To correspond to any other user’s 11-conductive identifier, replacing the digits returned private information from the user’s profile, including their location data.
Such vulnerability is known as an unsafe direct object reference, or an Idor, a type of bug that can allow someone to access or modify the data on someone else’s server due to lack of proper safety check on the user.
As we have explained earlier, for example, Idor Bugs are similar to being the key to a private mailbox, but this key can unlock every other mailbox on the same road. For example, Ider Bugs can be easily an enumeritic and in some cases, allowing access to records after a record of user data.
The American Cyber ​​Security Agency CISA has long warned of risks that exist Idor bugs, which generally include the ability to reach the “scale”. As part of it Secured by design Initiative, CISA said 2023 in advisor Developers should ensure that their apps check proper authentication and authority.
Since Raw has fixed the bug, the exposed server no longer gives user data in the browser.
