Dating App Data Breach: User Location & Personal Info Exposed

Data Breach Exposes Raw Dating App Users’ Information

A significant security vulnerability within the Raw dating application resulted in the public exposure of sensitive user data, including personal details and precise location information, as discovered by TechCrunch.

Details of the Exposed Data

The compromised data encompassed user display names, dates of birth, and preferences related to dating and sexuality within the Raw app. Critically, users’ locations were also revealed.

In some instances, the location data provided coordinates accurate enough to pinpoint Raw app users at the street level.

About the Raw App

Launched in 2023, Raw distinguishes itself as a dating platform aiming to foster more authentic connections. This is partially achieved by requiring users to submit daily selfie photographs.

While the company hasn't disclosed its total user base, the app has surpassed 500,000 downloads on the Google Play Store.

Raw Ring and AI-Powered Insights

This security incident coincides with Raw’s announcement of a hardware extension to its dating app: the Raw Ring. This unreleased wearable device is intended to monitor a partner’s heart rate and other sensor data.

The collected data would then be processed to generate AI-driven insights, purportedly to identify potential infidelity.

Encryption Claims Contradicted

Raw asserts, both on its website and within its privacy policy, that its app and the forthcoming device utilize end-to-end encryption. This security measure is designed to prevent access to user data by anyone other than the user themselves, including the company.

However, analysis of the app’s network traffic by TechCrunch revealed no evidence of end-to-end encryption being implemented.

Instead, the investigation demonstrated that user data was being publicly accessible via a standard web browser.

Resolution and Response

The data exposure was addressed by Raw on Wednesday, following notification from TechCrunch regarding the security flaw.

“All previously exposed endpoints have been secured, and we’ve implemented additional safeguards to prevent similar issues in the future,” stated Marina Anderson, co-founder of Raw, in an email to TechCrunch.

Lack of Security Audits

When questioned by TechCrunch, Anderson confirmed that the company had not commissioned a third-party security audit of its application.

She indicated that the company’s primary focus remains on product development and community engagement.

User Notification and Data Protection

Anderson did not commit to proactively informing affected users about the data exposure.

However, she stated that the company would “submit a detailed report to the relevant data protection authorities under applicable regulations.”

Duration of Exposure and Encryption Clarification

The length of time the app’s user data was publicly accessible remains under investigation, according to Anderson.

Regarding the encryption claim, Anderson clarified that Raw “uses encryption in transit and enforces access controls for sensitive data within our infrastructure. Further steps will be clear after thoroughly analyzing the situation.”

Privacy Policy and Further Communication

Anderson declined to comment on whether the company intends to revise its privacy policy.

A follow-up email from TechCrunch requesting further clarification received no response.

The Discovery of Exposed User Data

TechCrunch identified a security flaw within the Raw dating application on Wednesday, during routine testing procedures. Our evaluation involved installing the Raw app on a virtual Android environment. This allowed for app functionality assessment without utilizing personal data, such as a genuine physical location.

A test account was created using placeholder information, including a fictitious name and date of birth. The virtual device’s location was then set to simulate presence at a museum in Mountain View, California. We granted the application access to the device’s precise location, accurate to within a few meters, when prompted.

Network traffic was monitored and analyzed using specialized tools. This process enabled a detailed understanding of the Raw app’s operations and the types of user data being transmitted. The data flow in and out of the application was thoroughly inspected.

The data exposure was detected within minutes of initial app usage. Upon launching the app, user profile information was observed being retrieved directly from the company’s servers. Critically, this data transfer lacked any form of authentication protection.

Consequently, any individual could access the private information of other users. This was achieved by navigating to the exposed server address – api.raw.app/users/ – within a web browser, followed by an 11-digit user identifier. Substituting different 11-digit IDs revealed the private data associated with corresponding user profiles, including their location information.

This type of security weakness is classified as an insecure direct object reference, or IDOR. It represents a vulnerability where insufficient security checks allow unauthorized access or modification of data on a server.

As previously detailed, IDOR vulnerabilities are comparable to possessing a key that unlocks not only your own mailbox, but also all others on the same street. Exploitation is often straightforward, and in some instances, the vulnerability can be systematically enumerated to access numerous user records.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has consistently highlighted the risks associated with IDOR bugs. These risks include the potential for accessing sensitive data on a large scale. CISA’s Secure by Design initiative, outlined in a 2023 advisory, emphasizes the importance of robust authentication and authorization checks in application development.

Following remediation of the vulnerability by Raw, the exposed server no longer returns user data when accessed through a web browser.