
Donald Daters, a dating app for Trump supporters, leaked its users’ data - fooey
https://techcrunch.com/2018/10/15/donald-daters-a-dating-app-for-trump-supporters-leaked-its-users-data/
======
jdoliner
Not calling this app Covfefe Meets Bagel seems like a bit of a missed
opportunity to me. Not making the Firebase instance private seems like a
bigger missed opportunity though.

------
protomyth
I suppose this could be an interesting attack vector on folks. Pick a group
you hate, create a website specifically targeted at that group, get their
personal information, and then have a "data breach". Just being part of some
groups could seriously impact people in certain circles.

Its not like there is much risk for the website owners given past breaches. At
worst you fold the company and even that isn't very certain since TOS seems to
be king.

~~~
pbarnes_1
"Emily Moreno, the app’s founder and a former aide to Sen. Marco Rubio"

Seems unlikely in this case.

~~~
protomyth
Sen. Marco Rubio is not a Trump fan (now that is an understatement), so I'm
not sure that makes it less likely. I have doubts in this case and chalk it up
to crappy developers unless something more comes of it.

It still seems like an attack vector that has a really good risk / reward
ratio. Thinking about it, it also seems like an interesting way to feed an
election campaigns big data.

------
bentona
Politics aside, is the person who found this exploit really a "security
researcher" if they sent the data to a news publisher instead of responsibly
disclosing the issue?

~~~
sp332
Yes. This way the users know to protect themselves as quickly as possible.
It's not like they made the app easier to hack with the information in the
article, anyone who looks at the app will see the data.

~~~
bhhaskin
I don't agree. Maybe if they just reported it instead of sending the data.
That implies malicious intent.

~~~
sp332
Downloading the data is always harder to defend than just discovering it. But
unless and until they do something malicious, or sell the data to the highest
bidder, I'm going to say it's fair game. Really we don't know how many
independent copies were made while the data was live, and however much blame I
assign to the hacker has got to be tiny compared to the responsibility of the
app maker.

------
monksy
Minimal Viable Products strike again.

------
huebomont
Anyone with half a brain could tell this was a bare-minimum effort that you
shouldn't trust with your information.

------
YuriGrinshteyn
The best people.

------
blackflame7000
Both the people that use the app and attack the app need to reevaluate what's
important in life

------
0x8BADF00D
Why does everyone seem to make the same mistake? DO NOT roll your own crypto.

~~~
stevenwoo
The article mentions it was because their Firebase database was unsecured -
meaning anyone who knew the url could get access to all the data. That was the
default for a long time, and Firebase will send you email reminders if you
keep it unsecured. The developer ignored the best practices mentioned in the
Firebase documentation and the email reminders that come out once a week (I
think).

