<strong>Image Credits:</strong>Raw
Raw Dating App Security Breach: User Location Data and Personal Information Exposed
Table of Contents
Major Security Breach Discovery
A significant security vulnerability has been uncovered in the Raw dating app, exposing sensitive user information and precise location data to potential unauthorized access. The dating platform, which launched in 2023 and boasts over 500,000 Android downloads, has been found to have serious privacy concerns that contradict its security claims.
Critical Security Alert
The security lapse exposed users’ personal information including:
- Display names and dates of birth
- Dating and sexual preferences
- Precise location data (street-level accuracy)
- Profile information and user preferences
Extent of Exposed User Data
The timing of this security breach discovery is particularly concerning as it coincides with Raw’s announcement of their new hardware product, the Raw Ring. This unreleased wearable device claims to track partners’ emotional states and vital signs, raising additional privacy and ethical concerns about data security.
Privacy Claims vs. Reality
While Raw claims to implement end-to-end encryption for both its app and upcoming device, technical analysis revealed no evidence of such security measures. Instead, user data was found to be publicly accessible through basic web browsers.
Raw’s Response and Remediation
Following notification of the security vulnerability, Raw’s co-founder Marina Anderson confirmed that immediate action was taken to secure the exposed endpoints. However, several concerning aspects of the company’s response have emerged:
Key Response Points
- No commitment to proactively notify affected users
- Absence of third-party security audits
- Unclear timeline of data exposure duration
- Vague statements about encryption implementation
Technical Analysis of the Vulnerability
The security flaw was identified as an Insecure Direct Object Reference (IDOR) vulnerability, a serious security oversight that allowed unauthorized access to user data. The vulnerability was discovered through standard network traffic analysis during app testing.
Vulnerability Details
The exposed API endpoint at api.raw.app/users/ allowed access to any user’s private information by simply modifying an 11-digit identifier in the URL. This type of vulnerability is particularly dangerous due to its simplicity of exploitation and potential for automated data harvesting.
Security Implications and Future Concerns
The discovery of this security breach raises significant concerns about Raw’s approach to user privacy and data protection. The U.S. cybersecurity agency CISA has previously warned about the risks of IDOR vulnerabilities, emphasizing the need for proper authentication and authorization checks in application development.
Ongoing Concerns
- Lack of transparency in security practices
- Questions about data protection measures
- Privacy implications for future products
- Compliance with data protection regulations
While Raw has addressed the immediate security vulnerability, questions remain about the company’s overall approach to user privacy and data security. The incident highlights the critical importance of implementing robust security measures in dating apps and the need for regular third-party security audits to protect user information.
About The Author
