A massive vulnerability has been exposed in the group dating app 3fun, with researchers gaining access to a trove of information on its users. In a further twist, users were uncovered in the corridors of power in the US and UK.
The app is described as a “Curious Couples & Singles Dating” platform. One would think that security would rank fairly high on the agenda for such a service; however that was clearly not the case as the Pen Test Partners security researchers, who discovered the vulnerability, described what they felt was “probably the worst security for any dating app we’ve ever seen.”
Personal information, sexual preferences, private photos, chat data and users’ real time locations were all exposed due to 3fun’s shoddy security practices.
The leak was due to 3fun storing its users’ location data in the app itself, as opposed to keeping it securely on its servers. This allowed the researchers to uncover the data on the client side, even for users who had restricted their location data.
The vulnerability meant that Pen Test Partners could discover the locations of 3fun’s users around the globe. Amazingly users were found in the White House, the US Supreme Court, and at 10 Downing Street in London. However the security experts did concede that it’s “technically possible” that these users faked their locations.
Pen Test Partners made 3fun aware of the bugs on July 1; however, it took weeks to address the issues. TechCrunch was able to independently verify the app’s vulnerability.