A security flaw in the Raw dating app exposed sensitive user data, including location and personal preferences. TechCrunch uncovered that the app was leaking user information through an insecure direct object reference (IDOR) vulnerability, allowing anyone to access private data. The bug was found in the app’s server, which lacked authentication, making it easy to retrieve data just by altering a unique identifier. The exposed information included users’ display names, birth dates, dating preferences, and specific location data.
Raw, launched in 2023, claimed to provide secure interactions using end-to-end encryption. However, TechCrunch found no evidence of encryption during their test, revealing that data was freely available. The app’s security claims contradicted its actual functionality, as the data was accessible by anyone with a browser. After TechCrunch’s report, Raw swiftly fixed the vulnerability, securing the exposed endpoints and adding safeguards.
The company did not conduct a third-party security audit before the incident, despite claiming to use encryption for sensitive data. Raw also did not commit to informing affected users or updating its privacy policy in response to the breach. Although Raw’s co-founder confirmed that they would report the incident to data protection authorities, the company’s approach to user privacy and security remained uncertain. TechCrunch’s findings revealed significant gaps in the company’s security practices and raised questions about the app’s data protection.
Despite fixing the vulnerability, Raw faces criticism for not addressing the issue sooner or informing users about the breach. The incident highlights the risks associated with insecure data storage and the importance of proper security practices. As cyber threats evolve, it is crucial for companies to prioritize user privacy and implement rigorous security checks to prevent such exposures.
Reference:
