The vulnerability of a dating application revealed the data of 1.5 million users – including in the US White House

The Pen Test Partners project published the results of a study of one of the most popular dating applications. This is a 3fun group sex partner app with a database of one and a half million users. The study showed that the security system of the application does not stand up to criticism.   “In recent years, we have encountered many weaknesses in the security of dating apps. Violations of the processing of personal data, leakage of user location information and much more. But this application breaks the jackpot: it probably has the worst security of all the dating apps we’ve ever seen, ”write Pen Test Partners.   According to researchers, the application shows the location of almost any user in real time – at work, at home, on the go, anywhere. It shows the dates of birth of users, their sexual preferences and chat data. Also with its help you can find personal photos of users.   “This is a train crash of privacy. How many relationships or careers can fail due to the disclosure of this data? ”- noted in Pen Test Partners.   Some dating applications, including grindr, previously encountered problems with disclosing information about the location of users using the trilateration method (determining coordinates by constructing on the terrain a system of adjacent triangles in which the lengths of their sides are measured). With it, you can use the “distance from me” function in the application and get the relative location of another user. But 3fun, according to Pen Test Partners, is “a whole order of magnitude” less secure. Using his GET request, one can find out the latitude and longitude of the user’s location from his systems and determine his location right up to the house.   According to Pen Test Partners, due to vulnerability, they found several users of the application in government institutions in different countries, including the US Supreme Court, the White House and Downing Street, 10 (the residence of the Prime Minister of Great Britain). Also, the application allows you to see the exact date of birth of the user, which makes it easy to deanonymize him.   “We contacted 3fun about this and asked them to fix security flaws. 3fun quickly solved the problem, but it is unfortunate that so many personal data have been open for so long, ”concluded Pen Test Partners.   Inspired by the experience of Pen Test Partners, similar studies were conducted at TechCrunch.   “We were able to change our current geolocation in accordance with any set of coordinates that we wanted, for example, at the White House and the CIA headquarters. In this way, we were able to manipulate our location and obtain data for the place we needed. We found user profiles, including their sexual preferences, sexual orientation, age, username and name of their partner, and many other extensive, specific and personal information about users, including their photos. In some cases, dates of birth were also set. Not a single part of the data has been encrypted, ”TechCrunch writes.   And this is only one case from a number of similar ones. For example, the JCrush dating application, popular in the Jewish community, revealed the data of 200,000 users after a security violation. Last year, the dating application Donald Daters, due to an error in the encoding of security keys, revealed its entire user base – at that time about 1600 users.