A dating app accidentally exposed users’ personal information and location
An online dating app that had announced a new wearable device resembling a ring this week, publicly exposed user data including granular personal information and approximate location. The app, Raw, claims to promote “real and unfiltered love” with its unique interface, similar to a dating app that uses both front and rear cameras of your phone. Raw also recently announced a new device, supposedly allowing users to track their lovers’ location to ensure they are not being deceived. Unfortunately, it seems Raw was promoting something more, “unfiltered”: user data.
### Data leak compromising users
TechCrunch reported that due to basic digital security protections being lacking, Raw accidentally left users’ personal information open to public inspection. Before this week, anyone using a web browser could have detailed access to user information on the app, such as birthdate, name, sexual preferences, and very specific location data “at street level”.
TechCrunch discovered security deficiencies during a brief app test. They downloaded Raw on a virtualized Android device and used a network monitoring tool to observe data transmission to and from the app. The analysis revealed that personal data was not protected with any authentication barrier. TC found this issue within minutes of using the app and noted that although Raw claims to protect users with end-to-end encryption, no evidence was found of E2EE. The security problem detailed was as follows: the app extracted user profile information directly from the company’s servers without protecting the returned data with any authentication. This vulnerability, known as Insecure Direct Object References (IDOR), could allow unauthorized access or modification of data on a server due to the lack of access controls and proper security verifications.
### Raw’s response
Gizmodo contacted Raw for more information. According to statements to TechCrunch, security issues were resolved on Wednesday. Marina Anderson, Raw’s co-founder, stated, “All previously exposed endpoints have been secured, and we have implemented additional safeguards to prevent similar issues in the future.”
It is not uncommon for companies to inadequately protect user data, as security is not always a top priority in the software industry. However, for a dating app that deals with users’ most sensitive and intimate data, it is crucial to dedicate more time to creating barriers to protect that data.
