With security revocation in the Dating App, Raw has released user personal and private location data, TechCrunch discovered.
The published data included the user’s display name, date of birth, date of dating, sexual preferences related to the RAW app, and user location. Some of the location data contained coordinates specific enough to find raw app users with Street-level accuracy.
Launched in 2023, Raw is a dating app that claims to provide more authentic interactions with others by asking users to upload photos of their daily selfies. The company has not disclosed the number of users, but the Google Play Store app list notes over 500,000 Android downloads so far.
News of security lapse comes the same week when the startup announced the hardware extension for its dating app Raw Ring. It claims that app users can track their partner’s heart rate and other sensor data to receive AI-generated insights.
We use security features that prevent moral and ethical issues and emotional surveillance risks that track romantic partners, and the privacy policy that both the website and its app and its unreleased devices from accessing data using security features that prevent users, including non-users, from accessing data using security features that prevent users, including non-users.
When trying out an app this week that includes an analysis of the app’s network traffic, TechCrunch found no evidence that the app uses end-to-end encryption. Instead, we found that the app exposes data about the user to people who have a web browser.
Raw fixed the data exposure on Wednesday, shortly after TechCrunch contacted the company with details of the bug.
“All previously exposed endpoints have been secured and additional safeguards have been implemented to prevent similar issues in the future,” Marina Anderson, co-founder of Raw Dating App, told TechCrunch in an email.
When asked by TechCrunch, Anderson confirmed that the company is not doing third-party security audits for its apps, adding that it “focuses on building high-quality products and being meaningfully engaging with a growing community.”
Anderson did not commit to actively notifying affected users that the information was made public, but said the company will “submit a detailed report to relevant data protection authorities under applicable regulations.”
It is not immediately clear how long an app is publishing user data. Anderson said the company is still investigating the incident.
Regarding the claim that the app uses end-to-end encryption, Anderson said RAW “enforces access control for sensitive data within the infrastructure and thoroughly analyzes the situation, further steps will be clear.”
When asked if the company plans to adjust its privacy policy, Anderson did not say that he did not respond to follow-up emails from TechCrunch.
How did you find published data?
TechCrunch discovered a bug on Wednesday in a quick test of the app. As part of my testing, I installed the RAW dating app on my Virtualized Android device. This allows you to use your app without providing actual data such as physical locations.
I created a new user account with dummy data such as name and date of birth, and configured the virtual device location as if I were in a museum in Mountain View, California. When the app requested a virtual device location, the app allowed access to the exact location up to a few meters.
Data was monitored and inspected inside and outside the RAW app using network traffic analysis tools. This allowed me to understand how the app works and what kind of data the app is uploading about users.
TechCrunch discovered data exposure within minutes of using the RAW app. When I first loaded the app, I found out that although I was pulling user profile information directly from the company server, the server didn’t protect the data returned by authentication.
In fact, it means that you can access other users’ personal information by visiting the web address of a server published using a web browser (API.raw.app/users/) followed by a unique 11-digit number corresponding to other app users. Changing the numbers to correspond to other users’ 11-digit identifiers returned personal information from the user’s profile, which contains location data.
This type of vulnerability is known as an insecure direct object reference, or IDOR. This allows someone to access or modify data on another person’s server because there is no proper security check to access the data.
As mentioned before, the bug in Idor is similar to having a key for a private mailbox, for example, but that key can also unlock all other mailboxes on the same way. As such, IDOR bugs are easily exploited and sometimes enumerated, allowing you to access the records after recording your user data.
The US cybersecurity agency CISA has long been warning of the risks presented by IDOR bugs, including the ability to access “large-scale” sensitive data. As part of the Secure by Design Initiative, CISA said in its 2023 advisory that developers should ensure that apps can perform appropriate authentication and authorization checks.
Raw fixed a bug so published servers no longer return browser user data.