Close Menu
TechBrunchTechBrunch
  • Home
  • AI
  • Apps
  • Crypto
  • Security
  • Startups
  • TechCrunch
  • Venture

Subscribe to Updates

Subscribe to our newsletter and never miss our latest news

Subscribe my Newsletter for New Posts & tips Let's stay updated!

What's Hot

Naukri has published the recruiter's email address, researchers say

May 24, 2025

Khosla ventures among VCS experimenting with AI injection rollups in mature companies

May 23, 2025

Apple CEO reportedly urged the Texas governor to abandon the online child safety bill

May 23, 2025
Facebook X (Twitter) Instagram
TechBrunchTechBrunch
  • Home
  • AI

    OpenAI seeks to extend human lifespans with the help of longevity startups

    January 17, 2025

    Farewell to the $200 million woolly mammoth and TikTok

    January 17, 2025

    Nord Security founder launches Nexos.ai to help enterprises move AI projects from pilot to production

    January 17, 2025

    Data proves it remains difficult for startups to raise capital, even though VCs invested $75 billion in the fourth quarter

    January 16, 2025

    Apple suspends AI notification summaries for news after generating false alerts

    January 16, 2025
  • Apps

    Digg Founder Kevin Rose offers to buy a pocket from Mozilla

    May 23, 2025

    Bluesky begins to check for “notable” users

    May 22, 2025

    Mozilla shuts down its Read-It-Later app pocket

    May 22, 2025

    Opening a Social Web Browser Surf makes it easy for anyone to create custom feeds

    May 22, 2025

    Anthropic's new Claude4 AI model can be inferred in many steps

    May 22, 2025
  • Crypto

    Only 3 days left to save up to $900 to destroy the 2025 pass

    May 23, 2025

    Starting from up to $900 from Ticep, 90% off +1 in 2025

    May 22, 2025

    Early savings for 2025 will end on May 25th

    May 21, 2025

    Coinbase says its data breach will affect at least 69,000 customers

    May 21, 2025

    There are 6 days to save $900 to destroy 2025 tickets

    May 20, 2025
  • Security

    Naukri has published the recruiter's email address, researchers say

    May 24, 2025

    Apple CEO reportedly urged the Texas governor to abandon the online child safety bill

    May 23, 2025

    Artemis Seaford and Ion Stoica cover the ethical crisis in their sessions: AI

    May 23, 2025

    Mysterious hacking group Careto was run by the Spanish government, sources say

    May 23, 2025

    Microsoft says Lumma Password Stealer Malware found on 394,000 Windows PCs

    May 22, 2025
  • Startups

    7 days left: Founders and VCs save over $300 on all stage passes

    March 24, 2025

    AI chip startup Furiosaai reportedly rejecting $800 million acquisition offer from Meta

    March 24, 2025

    20 Hottest Open Source Startups of 2024

    March 22, 2025

    Andrill may build a weapons factory in the UK

    March 21, 2025

    Startup Weekly: Wiz bets paid off at M&A Rich Week

    March 21, 2025
  • TechCrunch

    OpenSea takes a long-term view with a focus on UX despite NFT sales remaining low

    February 8, 2024

    AI will save software companies' growth dreams

    February 8, 2024

    B2B and B2C are not about who buys, but how you sell

    February 5, 2024

    It's time for venture capital to break away from fast fashion

    February 3, 2024

    a16z's Chris Dixon believes it's time to focus on blockchain use cases rather than speculation

    February 2, 2024
  • Venture

    Khosla ventures among VCS experimenting with AI injection rollups in mature companies

    May 23, 2025

    Klarna CEO and Sutter Hill wins lap after Jony Ive's Openai deal

    May 22, 2025

    Wild story of how Moxxie-led Intestinal Toilet Startup Sloan was registered as a gut toilet startup throne

    May 22, 2025

    Submitted submission raises $17 million to automate tax preparation dr voyages

    May 21, 2025

    In a busy VC landscape, Elizabeth Weil's graffiti venture shows that networks are still important

    May 21, 2025
TechBrunchTechBrunch

Location data and personal information for public users of dating apps

TechBrunchBy TechBrunchMay 2, 20255 Mins Read
Facebook Twitter Pinterest Telegram LinkedIn Tumblr WhatsApp Email
Share
Facebook Twitter LinkedIn Pinterest Telegram Email


Due to the lapse of security in the Dating App, RAW has released user personal and private location data, TechCrunch discovered.

The published data included the user's display name, date of birth, date of dating, sexual preferences related to the RAW app, and user location. Some of the location data contained coordinates specific enough to find raw app users with Street-level accuracy.

Launched in 2023, Raw is a dating app that claims to provide more authentic interactions with others by asking users to upload photos of their daily selfies. The company has not disclosed the number of users, but the Google Play Store app list notes over 500,000 Android downloads so far.

News of security lapse comes the same week when the startup announced the hardware extension for its dating app Raw Ring. It claims that app users can track their partner's heart rate and other sensor data to receive AI-generated insights.

We use security features that prevent moral and ethical issues and emotional surveillance risks that track romantic partners, and the privacy policy that both the website and its app and its unreleased devices from accessing data using security features that prevent users, including non-users, from accessing data using security features that prevent users, including non-users.

When trying out an app this week that includes an analysis of the app's network traffic, TechCrunch found no evidence that the app uses end-to-end encryption. Instead, we found that the app exposes data about the user to people who have a web browser.

Raw fixed the data exposure on Wednesday, shortly after TechCrunch contacted the company with details of the bug.

“All previously exposed endpoints have been secured and additional safeguards have been implemented to prevent similar issues in the future,” Marina Anderson, co-founder of Raw Dating App, told TechCrunch in an email.

When asked by TechCrunch, Anderson confirmed that the company is not doing third-party security audits for its apps, adding that it “focuses on building high-quality products and being meaningfully engaging with a growing community.”

Anderson did not commit to actively notifying affected users that the information was made public, but said the company will “submit a detailed report to relevant data protection authorities under applicable regulations.”

It is not immediately clear how long an app is publishing user data. Anderson said the company is still investigating the incident.

Regarding the claim that the app uses end-to-end encryption, Anderson said RAW “enforces access control for sensitive data within the infrastructure and thoroughly analyzes the situation, further steps will be clear.”

When asked if the company plans to adjust its privacy policy, Anderson did not say that he did not respond to follow-up emails from TechCrunch.

How did you find published data?

TechCrunch discovered a bug on Wednesday in a quick test of the app. As part of my testing, I installed the RAW dating app on my Virtualized Android device. This allows you to use your app without providing actual data such as physical locations.

I created a new user account with dummy data such as name and date of birth, and configured the virtual device location as if I were in a museum in Mountain View, California. When the app requested a virtual device location, the app allowed access to the exact location up to a few meters.

Data was monitored and inspected inside and outside the RAW app using network traffic analysis tools. This allowed me to understand how the app works and what kind of data the app is uploading about users.

TechCrunch discovered data exposure within minutes of using the RAW app. When I first loaded the app, I found out that although I was pulling user profile information directly from the company server, the server didn't protect the data returned by authentication.

In fact, it means that you can access other users' personal information by visiting the web address of a server published using a web browser (API.raw.app/users/) followed by a unique 11-digit number corresponding to other app users. Changing the numbers to correspond to other users' 11-digit identifiers returned personal information from the user's profile, which contains location data.

A screenshot showing the profile of the exposed user set by TechCrunch, including the exact location of the user.Image credit: TechCrunch

A screenshot showing the location of the profile of a TechCrunch user on a map hovering over Mountain View, California.Image credit: TechCrunch

This type of vulnerability is known as an insecure direct object reference, or IDOR. This allows someone to access or modify data on another person's server because there is no proper security check to access the data.

As mentioned before, the bug in Idor is similar to having a key for a private mailbox, for example, but that key can also unlock all other mailboxes on the same way. As such, IDOR bugs are easily exploited and sometimes enumerated, allowing you to access the records after recording your user data.

The US cybersecurity agency CISA has long been warning of the risks presented by IDOR bugs, including the ability to access “large-scale” sensitive data. As part of the Secure by Design Initiative, CISA said in its 2023 advisory that developers should ensure that apps can perform appropriate authentication and authorization checks.

Raw fixed a bug so published servers no longer return browser user data.



Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

Related Posts

Naukri has published the recruiter's email address, researchers say

May 24, 2025

Apple CEO reportedly urged the Texas governor to abandon the online child safety bill

May 23, 2025

Artemis Seaford and Ion Stoica cover the ethical crisis in their sessions: AI

May 23, 2025

Mysterious hacking group Careto was run by the Spanish government, sources say

May 23, 2025

Microsoft says Lumma Password Stealer Malware found on 394,000 Windows PCs

May 22, 2025

Signal's new Windows update prevents the system from capturing screenshots of chat

May 22, 2025

Leave A Reply Cancel Reply

Top Reviews
Editors Picks

7 days left: Founders and VCs save over $300 on all stage passes

March 24, 2025

AI chip startup Furiosaai reportedly rejecting $800 million acquisition offer from Meta

March 24, 2025

20 Hottest Open Source Startups of 2024

March 22, 2025

Andrill may build a weapons factory in the UK

March 21, 2025
About Us
About Us

Welcome to Tech Brunch, your go-to destination for cutting-edge insights, news, and analysis in the fields of Artificial Intelligence (AI), Cryptocurrency, Technology, and Startups. At Tech Brunch, we are passionate about exploring the latest trends, innovations, and developments shaping the future of these dynamic industries.

Our Picks

Naukri has published the recruiter's email address, researchers say

May 24, 2025

Khosla ventures among VCS experimenting with AI injection rollups in mature companies

May 23, 2025

Apple CEO reportedly urged the Texas governor to abandon the online child safety bill

May 23, 2025

Subscribe to Updates

Subscribe to our newsletter and never miss our latest news

Subscribe my Newsletter for New Posts & tips Let's stay updated!

© 2025 TechBrunch. Designed by TechBrunch.
  • Home
  • About Tech Brunch
  • Advertise with Tech Brunch
  • Contact us
  • DMCA Notice
  • Privacy Policy
  • Terms of Use

Type above and press Enter to search. Press Esc to cancel.