Group Dating App 3Fun Found Exposing Millions Of Sensitive User Data
Sundar Pichai - Oct 05, 2019
The app has apparently exposed sensitive user data consisting of real-time location, private pictures, and personal information like dates of birth or sexual preferences.
- You Need To Install The October 2019 Android Security Update ASAP
- Some Best Postpaid Family Plans On Vodafone Vs Airtel
- Here's How To Get A Total Of $1 Million From Apple's Bug Bounty Program
Dating applications have been strongly condemned for poor security in recent years. Grindr, for instance, had user location disclosure issues last year through a technique called “trilateration.” There are even more problems regarding user privacy such as breaches of personal data or sexual abuses. However, 3Fun appears to be the worst security ever for any dating app, said recently by Pen Test Partners.
3Fun describes itself as an app designed for “meeting local kinky, open-minded people for 3some and swinger style”. The platform claims 1.5 million users who are mostly based on “top cities” including New York, Los Angeles, Chicago, Houston, San Francisco, and more.
How It Leaked User Data
According to Pen Test Partners, who reported about the issues from 3Fun, the app has apparently exposed sensitive user data consisting of real-time location, private pictures, and personal information like dates of birth or sexual preferences of its users.
Previously, there have been some data exposure incidences in which hackers spoof GPS locations of users, looking at the distances from them, then getting their exact position. Rather than this “trilateration” method, 3Fun just “sends” users data to the mobile app, exposing in a GET request as below:
With a few steps, Pen Test Partners can get the exact location of the U.K users including one in Number 10 Downing Street, and of some users from the White House, as well as the US Supreme Court.
Experts said that data is only archived through the mobile app, not the app server. Even hidden from the app interface, the API still activates for querying as the filtering is client-side.
Pen Test Partners Reached Out To 3Fun
On detecting the problems, Pen Test Partners have reached out to 3Fun, demanding them to debug the security holes. In their reply, 3Fun expressed that they were not aware of the flaws.
The company took action immediately and fix the issues, as stated by Pen Test Partners. Nonetheless, personal data of 1.5 million users has been exposed so long on this platform, that’s a real problem.