Raw Dating App Exposes Users’ Personal Data and Location Information
In a shocking revelation, TechCrunch has discovered a security lapse at the popular dating app Raw, which has exposed the personal data and private location information of its users. The exposed data includes users’ display names, dates of birth, dating and sexual preferences, as well as their locations. Some of the location data is specific enough to pinpoint users’ locations with street-level accuracy.
Raw, which launched in 2023, claims to offer more genuine interactions with others by asking users to upload daily selfie photos. The app has over 500,000 Android downloads to date, according to its Google Play Store listing. The security lapse is particularly concerning given the app’s recent announcement of a hardware extension, the Raw Ring, an unreleased wearable device that tracks users’ partners’ heart rate and other sensor data to detect infidelity.
The app’s claim of using end-to-end encryption, a security feature that prevents anyone other than the user from accessing the data, has been disputed by TechCrunch. Our analysis found no evidence of end-to-end encryption, and instead, the app was publicly spilling data about its users to anyone with a web browser. The company has since fixed the data exposure, but the incident raises serious concerns about the app’s security and privacy practices.
The Bug and Its Consequences
The security lapse was discovered by TechCrunch during a brief test of the app. We created a new user account with dummy data and configured our virtual device’s location to appear as though we were at a museum in Mountain View, California. When the app requested our virtual device’s location, we allowed the app access to our precise location down to a few meters. We used a network traffic analysis tool to monitor and inspect the data flowing in and out of the Raw app, which allowed us to understand how the app works and what kinds of data the app was uploading about its users.
Within a few minutes of using the Raw app, we discovered the data exposure. The app was pulling user profile information directly from the company’s servers, but the server was not protecting the returned data with any authentication. This meant that anyone could access any other user’s private information by using a web browser to visit the web address of the exposed server.
The Impact of IDOR Bugs
The vulnerability discovered in Raw is known as an insecure direct object reference (IDOR) bug, a type of bug that can allow someone to access or modify data on someone else’s server because of a lack of proper security checks on the user accessing the data. IDOR bugs are particularly concerning because they can be exploited with ease and in some cases enumerated, allowing access to record after record of user data.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has long warned of the risks that IDOR bugs present, including the ability to access typically sensitive data “at scale.” As part of its Secure by Design initiative, CISA advises developers to ensure their apps perform proper authentication and authorization checks.
Actionable Insights and Conclusion
The Raw dating app’s security lapse serves as a stark reminder of the importance of prioritizing security and privacy in app development. The incident highlights the need for developers to implement robust security measures, including proper authentication and authorization checks, to protect users’ sensitive data.
For users, it is essential to be aware of the potential risks associated with using dating apps and to take steps to protect their personal data. This includes being cautious when sharing personal information and using strong passwords.
For developers, the incident serves as a wake-up call to prioritize security and privacy in app development. It is crucial to conduct regular security audits and implement robust security measures to protect users’ sensitive data.
In conclusion, the Raw dating app’s security lapse is a concerning incident that highlights the importance of prioritizing security and privacy in app development. As the tech industry continues to evolve, it is essential to prioritize user security and privacy to build trust and maintain a secure online environment.