TechCrunch has found that a protection of the dating app has publicly published the personal data and personal position data of Laps Run.
The exposed data included the display of users ‘display, date of birth, dating and sexual preferences related to raw app as well as users’ position. Some of the locations data included the coordinates that were specific enough to identify the raw app users with the accuracy of the street level.
RAW, which was launched in 2023, is a dating app that claims that users are demanding more true interaction with others by uploading daily selfie photos. The company does not disclose how many users have it, but the application list in the Google Play Store notes more than 500,000 Android downloads till date.
Protect Laps News that comes the same week that the startup announced its dating app, the raw ring, a hardware extension Unparalleled wearable It has claimed that the application users to get their partner’s heart rate and other sensor data to get AI-imposed insights, will certainly allow track to detect the coffee.
In spite of the moral and moral issues of romantic partners and tracking Risk of sensitive surveillanceRaw claims on its website and its privacy policy that its application and its unpublished device, using both end-to-end encryption, is a security feature that prevents access to the agency of anyone other than the user.
When we tried the app this week, which included the app’s network traffic analysis, TechCrunch did not find any evidence that the app used from end to end encryption. Instead, we have found that the app is spreading data publicly about its users to anyone with the web browser.
RAW fixed the data exposure on Wednesday, immediately after contacting the company with a detailed TechCrunch bug.
All the previously exposed last points have been protected, and we applied additional security measures to prevent similar problems in the future,” the co-founder of the raw dating app, Marina Anderson TechCrunch, via email.
When asked by TechCrunch, Anderson confirmed that the company did not perform the third -party protection monitoring of its application, adding that “focus is about to create a high quality product and meaningful to our growing community.”
Anderson will not actively promise to inform the affected users that their information has been exposed, but said the company “will submit a detailed report to the information protection authority related to the applicable regulations.”
It is not immediately known how long the app is spreading data to its users in public. Anderson said the company was still investigating the incident.
Anderson said about his claim using the end of the end -to -end encryption, “Using encryption in transit and applied access controls for our infrastructural sensitive data. Further steps would be clear after the situation was fully analyzed.”
When Anderson asks, the company will not say whether the company has planned to adjust its privacy policy, and Anderson did not respond to Techchen’s follow-up email.
How we received exposed data
TechCrunch discovered the bug during a short test of the application on Wednesday. As part of our test, we installed the raw dating app on virtualized Android device, which allow our physical location to use the app without providing any real-world data.
We have created a new user account with dummy data, such as a name and birth date, and configured to present the location of our virtual device as we were in a Mountain View of California. When the app requested for the location of our virtual device, we allowed the app to access the app a few meters in our specific location.
We have used a network traffic analysis equipment to monitor and inspect the flowing data flowing on and outside, which allow us to understand how the app works and the app is uploading the app about the app.
The TechCrunch Raw App has discovered the data exposure within minutes of use. When we first loaded the app, we could see that the user’s profile information was dragged directly from the organization’s servers, but the server was not protecting the data that returned with any authentication.
In practice, it means that anyone can access any other user’s personal information using the web browser to view the exposed server web address – api.raw.app/users/ Another app follows a unique 11-digit number related to the user. Changing the numbers to adjust to the 11-digit identifier of any other user has returned personal information from that user’s profile with their position data.
This type of weakness is known as an unsafe direct object reference or iDor, or a type of bug that lets someone else to access or correct data on someone else’s server due to lack of proper security checks in accessing data.
As we have already explained, for example, Edo bugs are similar to the key to a private mailbox, but that key can unlock each other other mailbox of the same street. For example, ido bugs can be calculated easily and in some cases, allowing user data to access the record after record.
The US CyberSSCURITIES agency CISA has long warned of the risk present in Idor bugs, including the ability to access the sensitive data “scale”. As part of it Design Initiative, CISA 2023 in consultants Developers should ensure that their applications should be performed in appropriate authentication and approval checks.
Since the raw buggy fixes, the exposed server no longer returns the user’s data to the browser.