Introduction to Data Exposure

A dating app, Raw, which recently unveiled a new wearable device, has been found to have exposed its users’ data publicly. The exposed data included granular and personal information, such as approximate locations.

Raw App’s Unique Features and Recent Developments

Raw claims to promote "real and unfiltered love" through its distinctive user interface, similar to BeReal, but designed for dating. The app utilizes both the front and back cameras of a user’s phone. Additionally, Raw has introduced a new hardware product called the Raw ring, which allows users to track their partners’ locations to ensure fidelity. However, this feature raises concerns about potential problematic scenarios. Unfortunately, Raw has also been promoting users’ data in an "unfiltered" manner.

Security Breach and Data Exposure

According to TechCrunch, due to inadequate digital security measures, Raw accidentally left users’ personal information open to public access. Before this week, anyone with a web browser could access detailed app user information, including date of birth, display names, sexual preferences, and specific "street-level" location data. TechCrunch discovered the security vulnerabilities during a brief test of the company’s app, using a virtualized Android device and a network monitoring tool to observe the data transmitted to and from the app.

Analysis of the Security Loophole

The analysis revealed that the personal data was not protected with any authentication barrier. TechCrunch notes that while Raw claims to protect users with end-to-end encryption, no evidence of E2EE was found. The security loophole can be explained as follows:

When we first loaded the app, we found that it was pulling the user’s profile information directly from the company’s servers, but that the server was not protecting the returned data with any authentication. In practice, that meant anyone could access any other user’s private information by using a web browser to visit the web address of the exposed server — api.raw.app/users/ followed by a unique 11-digit number corresponding to another app user. Changing the digits to correspond with any other user’s 11-digit identifier returned private information from that user’s profile, including their location data. This kind of vulnerability is known as an insecure direct object reference, or IDOR, a type of bug that can allow someone to access or modify data on someone else’s server because of a lack of proper security checks on the user accessing the data.

Response and Resolution

Gizmodo reached out to Raw for more information, and according to statements made to TechCrunch, the security issues have been patched as of Wednesday. "All previously exposed endpoints have been secured, and we’ve implemented additional safeguards to prevent similar issues in the future," said Marina Anderson, co-founder of Raw dating app.

Conclusion

It’s not uncommon for companies to poorly secure user data, as security is not always a top priority in the software industry. However, for a dating app that handles sensitive and intimate user data, it’s crucial to invest time and resources in securing user information. As the saying goes: "wrap it before you tap it."