Raw Dating App Exposed User Data and Location
Dating app Raw recently experienced a significant security breach, exposing users' personal information, including their precise locations. TechCrunch discovered the vulnerability, which stemmed from an insecure direct object reference (IDOR) bug.
Raw, launched in 2023, promotes genuine interactions through daily selfie uploads. While the company doesn't disclose user numbers, the Google Play Store indicates over 500,000 Android downloads. This incident coincided with Raw's announcement of the "Raw Ring," a wearable designed to track partners' heart rates and other data, raising ethical concerns about relationship surveillance.
Raw claims end-to-end encryption protects user data, but TechCrunch found no evidence of this during testing. Instead, user data was publicly accessible via a simple web browser query.
How the Data Was Exposed
TechCrunch's investigation revealed the IDOR vulnerability allowed access to user profiles by manipulating a unique 11-digit identifier in the server URL. This meant anyone could view a user's display name, date of birth, dating preferences, and precise location data.
Raw co-founder Marina Anderson confirmed the issue was fixed after TechCrunch contacted them. Anderson stated,
"All previously exposed endpoints have been secured, and we’ve implemented additional safeguards to prevent similar issues in the future."
Anderson admitted Raw hadn't conducted a third-party security audit and wouldn't commit to notifying affected users. However, they stated a report would be submitted to relevant data protection authorities. The duration of the exposure remains unclear, and Raw is investigating. While claiming to use "encryption in transit and access controls," Anderson didn't clarify their encryption practices or comment on potential privacy policy revisions.
TechCrunch's Discovery
TechCrunch discovered the vulnerability while testing the Raw app on a virtual Android device. Using network traffic analysis, they observed user data being retrieved from the server without authentication, leading to the discovery of the IDOR bug. This type of vulnerability, as highlighted by CISA, can expose sensitive data at scale due to inadequate security checks.
This security lapse raises serious concerns about user data protection on dating apps. The incident underscores the importance of thorough security audits and transparent communication with users regarding data breaches.
