Popular dating app leaked personal data of 1.5 million users

Popular dating app leaked personal data of 1.5 million users

3Fun is a popular dating app that allows "local kinky, open-minded people" to meet and interact. It was recently found exposing personal data and real-time locations of as many as 1.5 million users.

The app is thought to offer privacy and secrecy to over a million users. However, security researchers at Pen Test Partners noted that the security credentials of the app are very poor. They suggested that the app has "probably the worst security for any dating app" they've ever seen.

The researchers analysed the dating app. They found that the app leaked near real-time location of users, dates of birth and sexual preferences. They also leaked chat history and private pictures, even if privacy settings were set.

The app normally discloses the latitude and longitude of a user. The user can restrict the sending of such co-ordinates to other users. However, it was revealed that this setting is filtered in the mobile app itself and not on the server. This means anyone can query the app's API for the position data of a user, even if the user restricts the app from revealing the same.

As a result, the researchers found active users of 3Fun located in the White House, at 10 Downing Street, as well as one at the US Supreme Court. They also found hundreds of users with pin-point accuracy in major cities such as London, other cities in the UK, and in Washington DC.

3Fun dating app did not protect users' privacy

"Several dating apps, including Grindr, have had leaked user location problems before, known as ‘trilateration’. This is where one takes advantage of the ‘distance from me’ feature in an app and fools it. By spoofing your GPS position and looking at the distances from the user, we get an exact position.

The researchers said: "But, 3fun is different. It just ‘leaks’ your position to the mobile app. It’s a whole order of magnitude less secure. It’s easy to track users in near real time, uncovering very personal information and photos".

Justin Fox, director of DevOps engineering at NuData Security, commented on the poor security of 3Fun app. He said that hackers could have used the dating app to create profiles of the users with both typical profile information and physical location data of its users who are billed as kinky, open-minded people. This can be sensitive information that could be used for harassment and persecution of LGBTQ+ individuals.

"Due to the multiple security vulnerabilities in the application, researchers were able to manipulate their session details to change data attributes and collect profile information of other registered users. This is where a layered security approach that establishes a trusted device profile is critical to providing a better consumer experience that validates the device and prevents attribute spoofing.

"The experience is frictionless to most consumers (as long as they don’t show signs of risk, there is no need for additional authentication) while it mitigates the risk organisations face such as spoofed or manipulated device intelligence data. It’s important to foster inclusion and diversity in all environments – acceptance matters," he added.

ALSO READ: Privacy concerns dominate as FaceApp crosses 100 million installations

Copyright Lyonsdown Limited 2021

Top Articles

With cyber attacks on the rise, the Royal Family seeks a cyber security expert

The Royal Household is looking for a cyber security engineer to monitor networks and protect digital systems from hacking attacks.

Colonial Pipeline paid $5 million in ransom to DarkSide ransomware group

Colonial Pipeline paid $5 million to the DarkSide ransomware group to restore operations within hours after a ransomware attack paralysed fuel supplies in the U.S. east coast.

HSE forced to shut down computer systems due to 'significant cyber attack'

Ireland's public healthcare system, HSE, has been forced to shut down its computer systems as hospital administrators became aware of a 'significant ransomware attack' on Thursday evening.

Related Articles