3Fun is a popular dating app that allows "local kinky, open-minded people" to meet and interact. It was recently found exposing personal data and real-time locations of as many as 1.5 million users.
The app is thought to offer privacy and secrecy to over a million users. However, security researchers at Pen Test Partners noted that the security credentials of the app are very poor. They suggested that the app has "probably the worst security for any dating app" they've ever seen.
The researchers analysed the dating app. They found that the app leaked near real-time location of users, dates of birth and sexual preferences. They also leaked chat history and private pictures, even if privacy settings were set.
The app normally discloses the latitude and longitude of a user. The user can restrict the sending of such co-ordinates to other users. However, it was revealed that this setting is filtered in the mobile app itself and not on the server. This means anyone can query the app's API for the position data of a user, even if the user restricts the app from revealing the same.
As a result, the researchers found active users of 3Fun located in the White House, at 10 Downing Street, as well as one at the US Supreme Court. They also found hundreds of users with pin-point accuracy in major cities such as London, other cities in the UK, and in Washington DC.
3Fun dating app did not protect users' privacy
"Several dating apps, including Grindr, have had leaked user location problems before, known as ‘trilateration’. This is where one takes advantage of the ‘distance from me’ feature in an app and fools it. By spoofing your GPS position and looking at the distances from the user, we get an exact position.
The researchers said: "But, 3fun is different. It just ‘leaks’ your position to the mobile app. It’s a whole order of magnitude less secure. It’s easy to track users in near real time, uncovering very personal information and photos".
Justin Fox, director of DevOps engineering at NuData Security, commented on the poor security of 3Fun app. He said that hackers could have used the dating app to create profiles of the users with both typical profile information and physical location data of its users who are billed as kinky, open-minded people. This can be sensitive information that could be used for harassment and persecution of LGBTQ+ individuals.
"Due to the multiple security vulnerabilities in the application, researchers were able to manipulate their session details to change data attributes and collect profile information of other registered users. This is where a layered security approach that establishes a trusted device profile is critical to providing a better consumer experience that validates the device and prevents attribute spoofing.
"The experience is frictionless to most consumers (as long as they don’t show signs of risk, there is no need for additional authentication) while it mitigates the risk organisations face such as spoofed or manipulated device intelligence data. It’s important to foster inclusion and diversity in all environments – acceptance matters," he added.