Dating RAW application for users and personal information

Techcrunch has discovered that the security break in the Dating Raw app has publicly revealed personal data and private website data for its users.

The open data included display names for users, birth dates, dating and sexual preferences associated with the raw application, as well as user sites. Some of the site’s data included specific coordinates enough to locate the users of raw applications accurately.

RAW, which was launched in 2023, is Dating application This claims that it provides more real interactions with others partially by asking users to download Selfie’s daily images. The company does not reveal the number of users they have, but its applications on the Google Play Store include more than 500,000 Android download so far.

Safety Traffic News comes in the same week that it announced the start of running as an extension of the devices for its dating application, The Raw Ring, AnN An indisputable device that can be worn It will allow the application users to track the heart rate of their partner and other sensor data to receive visions created from artificial intelligence, outwardly to detect marital infidelity.

in spite of Ethical and moral issues to track romantic partners and Emotional monitoring risksRAW allegations on its website and in its privacy policy that its application and its unprecedented device are used both Tip from end to endThe safety feature that prevents anyone other than the user – including the company – from accessing data.

When we tried this week, which included an analysis of the network of the application network network, Techcrunch did not find any evidence that the app uses encryption from end to end. Instead, we found that the application was publicly leaking its users to anyone with a web browser.

RAW fixed the data on Wednesday, shortly after the company’s Techcrunk with the error details.

“All of the previously exposed end points have been secured, and we have implemented additional guarantees to prevent similar problems in the future,” Marina Anderson, co -founder of the Raw Dating application, told Techcrunch via email.

When TECHCRUNCH, Anderson confirmed that the company has not made a security review of an external authority to implement it, adding that “the focus on building a high -quality product and participating useful with our growing society.”

Anderson will not be committed to notifying users who are proactively affected that their information was subjected to, but he said that the company “will submit a detailed report to the relevant data protection authorities under the regulations in force.”

It is not known immediately to the time that the application takes publicly the data of its users. Anderson said the company is still investigating the accident.

Regarding his claim that the application uses encryption from end to end, Anderson said that RAW “uses encryption to cross and impose controls to access sensitive data within our infrastructure. Other steps will be clear after the situation is precisely analyzing.”

Anderson will not say, when asked, whether the company is planning to control its privacy policy, and Anderson did not respond to an email to follow up from Techcrunch.

How we found open data

Techcrunch discovered the error on Wednesday during the application summary of the application. As part of our test, we have installed the raw dating app on the virtual Android device, which allows us to use the application without the need to provide any real data, such as our actual website.

We have created a new user account with fake data, such as the name and date of birth, and we have formed our virtual device to appear as if we were in a museum in Mountain View, California. When the application requested our virtual device website, we allowed the application to access our exact website to a few meters.

We used the network traffic analysis tool to monitor and examine data that flows inside and outside the RAW application, which allowed us to understand how the application and the types of data that the application were downloaded about its users.

TECHRUNCH discovered exposure to data within a few minutes of using the raw app. When we downloaded the application for the first time, we found that it pulled the user profile information directly from the company’s servers, but the server did not protect the data that was returned with any authentication.

In practice, this means that anyone can access private information for any other user using a web browser to visit the exposed server web address – api.raw.app/users/ Followed by a unique number of 11 number that corresponds to another application user. Change the numbers to comply with the identifier of any other user consisting of 11 number by returning the special information from the profile of this user, including its website data.

This type of security vulnerability is known as the indirectly safe object reference, or EDOR, a type of error that can allow someone to access or modify data on another person’s server due to the lack of appropriate safety checks on the user to access data.

like We have explained beforeFor example, IDOR errors are similar to a key to a special mailbox, for example, but this key can also unlock each other mailbox in the same street. As such, IDOR errors can be easily exploited and in some cases they are enumerated, allowing access to the record after the user data record.

CISA has long warned of the risk of IDOR errors, including the ability to access sensitive data usually “widely.” As part of Safe by design Cisa said, Cisa said In Consulting 2023 The developers must make sure their applications are appropriate and authorized.

Since RAW repairing the defect, the open server is no longer returning user data in the browser.