A security breach at the dating app Raw has revealed the personal and location data of its users, according to a report from TechCrunch. The compromised information includes users’ display names, dates of birth, sexual preferences, and location data with astonishing accuracy, down to street level.
Launched in 2023, Raw seeks to foster authentic connections by requiring users to upload daily selfies. While the company hasn’t disclosed its exact number of users, its Google Play Store listing shows over 500,000 downloads for Android.
The revelation of this data exposure coincided with Raw’s announcement of a new hardware product, the Raw Ring, a wearable device designed to monitor partners’ heart rates and other metrics for potential signs of infidelity. Despite this claim, Raw suggests the app and device use end-to-end encryption to secure user data, yet TechCrunch found no evidence of this being implemented; instead, sensitive user information was accessible through a simple web search.
Raw addressed the vulnerability shortly after TechCrunch informed them, stating they had secured the exposed endpoints and would implement further protections. However, co-founder Marina Anderson admitted the company had not conducted a third-party security audit, focusing instead on product development and community engagement. When asked about notifying affected users, she mentioned that a report would be submitted to relevant data protection authorities, but did not commit to informing users directly.
The length of time the data was exposed remains unclear as Raw continues investigating the incident. Anderson maintained that while encryption is used during data transit, proper authentication for accessing sensitive data is another area needing review.
TechCrunch uncovered the breach through a test of the Raw app, which allowed them to access user data without providing real personal information. They created a test account and observed that the app pulled user data directly from the company’s servers without adequate security checks. This lack of protection meant anyone could access another user’s information by altering the URL associated with a unique user identifier.
This vulnerability falls under the category of Insecure Direct Object Reference (IDOR), a flaw that can let individuals gain unauthorized access to sensitive information. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has raised awareness about the dangers of IDOR vulnerabilities, advising developers on the importance of implementing robust authentication and authorization checks to protect user data. Following the fix, Raw’s server has ceased to deliver user data through unprotected channels.
Fanpage:Â TechArena.au
Watch more about AI – Artificial Intelligence
