Dating app Raw exposed users’ location data and personal information

[ad_1]

In the acquaintance application, the desire for security is clearly openly openly openly openly openly, and the personal information of users and personal location information, techcrunch was found.

The drop-down information is related to users, birth names, birth, dating and sexual advantages, as well as users’ locations. Some of the location data are included in the coordinates that are quite specific to finding raw application users with street-level accuracy.

Raw that started in 2023 Dating application Asking users to download daily selfie photos, it claims to offer more real interactions with others. The company does not disclose how many users are, but the app list in the Google Play Store is up to 500,000 Android downloads to date.

Security Break News A hardware extension of the startup, acquaintance application in the same week, raw ring, mother Depreciation device not on the road Allows the claim that the application of applications will allow users to monitor the heart rate and other sensor information and monitor other sensor information.

Nevertheless Moral and ethical issues to watch romantic partners and emotional control risksThe website and its privacy policy uses raw claims and its applicable device and its applicable final encryption until the endA security feature that prevents another from the user – including the company – from accessing information.

When we tested the application this week, when we tested the application of the application network traffic this week, TechCrunch did not find any evidence that the application was encrypted from the end. Instead, we saw the information about the users of the application openly poured a web browser.

Shortly after the TechCrunch, the data broadcast, contacted the details of the error.

“All previously exposed end points have provided additional supplements to prevent similar issues in the future,” said Marina Anderson, Raw familiar application, told Techcrunch by e-mail.

Asked by Techcrunch, Anderson said the company’s application did not audit a third party security, and “he focused on the fact that he focuses on our growing society with our growing society.”

Anderson, they do not try to explain the information of affected users, but the company said the company will “send a detailed report to the provision of relevant information to the bodies of relevant information.”

It is not immediately known how the application is pouring users’ data. Anderson said the company still investigated the event.

In connection with the claim that the application uses landing encryption to the end, Anderson, Raw “Applies access control for sensitive information in the transit and infrastructure.

Anderson plans to regulate the company’s privacy policy and did not respond to an email from Anderson TechCrunch.

How did we find the drop-down information

TechCrunch discovered the mistake on Wednesday during a short test of the application. As part of our test, we installed a raw dating application on a virtualized Android device that allows us to use the application without any real information.

With dummy data, such as a new user account, such as birthdate and birth history, Mountain View configured the location of the virtual device to appear in a museum in California. When the application requires our virtual device, we allowed the application to enter the exact location to several meters.

We have used a network traffic analysis tool to help you understand how the application works and how much information about the users of the application is loaded.

TechCrunch, the use of raw applications revealed to be reported in a few minutes. When installing the application for the first time, we saw the user’s profile information directly from the company’s servers, but the server has not been protected by any authentication.

In practice, this can include any user’s personal information to visit the web address of another user who is included in another user’s personal information using a web browser – api.raw.app/users/ Followed a unique 11-digit figure to suit another application user. To adapt to any other user’s 11-digit identifier, the user’s profile, including numbers, returned personal information.

A screenshot showing the user's profile established by TechCrunch, which contains the user's exact location.
Photo credits:Techcrunch
TechCrunch is a screenshot showing the location of the user profile, Mountaino Mountain View, California hovering over California.
Photo credits:Techcrunch

Such weakness is known as an error that allows you to access or change data on someone else’s server due to the lack of security vouchers in an invalid direct object or Idor to access the user’s data or anyone else’s server.

Like We’ve explained beforeIdor bugs, for example, is a key that is the key to a special mailbox, but this key can open each mailbox on the same street. Thus, IDOR Bugs can be easily exploited and in some cases that can be used in some cases that allow you to be registered after the user’s record.

The US cybersecurity agency CISA has long aware of the risks that have the opportunity to access sensitive information in the “scale”, including the IDOR bugs. As part of it Safe with design The initiative said the Cut Advice in 2023 These developers must ensure the implementation of proper identification and authorization inspections.

The raw mistake, the exposed server does not return user data in the browser.

[ad_2]

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending now

Father of Montreal Girl who found dead in NY accused of murder 2
Vergil Ortiz Jr., Israel comes to riyada ready to clash with Madrimov
Shakur Stevenson, which requires gratitude and humility from Floyd Schofield
BeterbIeye-Bivol 2 in Benavidz: A prelude for a mega battle?