Dating App ‘Raw’ Accidentally Rawdogs Users’ Location Data, Personal Info

A dating app that, conscionable this week, announced a creepy caller wearable, has been recovered to person publically exposed users’ data. The information was granular and personal, including their approximate locations.

The app, Raw, says it is dedicated to promoting “real and unfiltered love” done its unsocial idiosyncratic interface, which resembles BeReal (it utilizes the beforehand and backmost cameras of your phone), but for dating. Raw besides precocious announced a bizarre caller portion of hardware, called the Raw ring, which purports to let users to way the determination of their lovers to guarantee they’re not cheating (there’s nary mode that could ever pb to problematic scenarios, right?). Unfortunately, it would look that Raw has besides been promoting thing other successful rather an “unfiltered” fashion: users’ data.

TechCrunch reports that owed to a deficiency of basal integer information protections, Raw was accidentally leaving users’ idiosyncratic accusation unfastened to nationalist inspection. Indeed, anterior to this week, anyone with a web browser would person been capable to entree elaborate app idiosyncratic information, including their day of birth, show names, intersexual preferences, and rather circumstantial “street-level” determination data.

TechCrunch says it discovered the information deficiencies during a little trial of the company’s app. Raw was downloaded onto a virtualized Android device, and past TC staffers utilized a web monitoring instrumentality to observe the information being transmitted to and from the app. The investigation showed that the idiosyncratic information was not being protected with immoderate benignant of authentication barrier. TC says it discovered the occupation wrong the archetypal “few minutes” of utilizing the app. TC besides notes that, portion Raw claims to support users with end-to-end encryption, it recovered nary grounds that E2EE was present. They interruption down the information loophole similar so:

When we archetypal loaded the app, we recovered that it was pulling the user’s illustration accusation straight from the company’s servers, but that the server was not protecting the returned information with immoderate authentication. In practice, that meant anyone could entree immoderate different user’s backstage accusation by utilizing a web browser to sojourn the web code of the exposed server — api.raw.app/users/ followed by a unsocial 11-digit fig corresponding to different app user. Changing the digits to correspond with immoderate different user’s 11-digit identifier returned backstage accusation from that user’s profile, including their determination data. This benignant of vulnerability is known arsenic an insecure nonstop entity reference, oregon IDOR, a benignant of bug that tin let idiosyncratic to entree oregon modify information connected idiosyncratic else’s server due to the fact that of a deficiency of due information checks connected the idiosyncratic accessing the data.

Gizmodo reached retired to Raw for much information. According to statements made to TechCrunch, the information issues person been patched arsenic of Wednesday.  “All antecedently exposed endpoints person been secured, and we’ve implemented further safeguards to forestall akin issues successful the future,” Marina Anderson, the co-founder of Raw dating app, told the outlet.

It’s not uncommon for companies to poorly unafraid idiosyncratic data. Strange arsenic it whitethorn sound, information is not a peculiarly immense precedence successful the bundle industry. It tin beryllium time-consuming, expensive, and whitethorn dilatory down different parts of production, truthful galore companies simply don’t fuss with it. With a dating app, however—a concern which is dedicated to handling users’ astir intimate (literally) and delicate data—it evidently pays to walk a small spot much clip locking worldly down. As they say: wrapper it earlier you pat it.