
Group sex app leaks locations, pics and personal details - chovy
https://www.pentestpartners.com/security-blog/group-sex-app-leaks-locations-pictures-and-other-personal-details-identifies-users-in-white-house-and-supreme-court/
======
larkinrichards
I’ve reported a bug like this in an application that deals with a similarly
sensitive topic— They managed to call me back in 30 minutes (I never gave them
my number) and had it fixed in a few hours.

I did contact them via every medium I could find, not just email. Obviously,
the response these folks got from the company should have told them they were
talking to the wrong person, and they should have been more vigilant in
attempting to contact the right person.

~~~
jammygit
How often do the researchers get paid for doing this sort of work?

~~~
larkinrichards
An early stage company doesn’t have much to pay you with, but they’re thankful
for the help.

From my perspective, protecting the data of 10k users was just as important
as— or more important than— protecting the data of 1.5m users.

I feel bad when people assume negative intent. I don’t think anyone at this
company wanted to violate the privacy of their users— they just didn’t get the
message through the right channels.

~~~
comboy
> protecting the data of 10k users was just as important as— or more important
> than— protecting the data of 1.5m users

care to elaborate on a logic behind that?

~~~
aflag
One line of reasoning is that the everyone will know about companies leaking
data of millions, so they can take steps to mitigate, whereas probably no one
will know about a leak like this and just live unaware

------
sersi
Isn't it irresponsible for pen test partners to publish the maps with the
location markers with such details as they did in London?

It's a good example of how concerning this is but they should have shown fake
data there since this is still user's private data...

~~~
slg
That is basically the middle of London. I expect hundreds of thousands of
people pass through the area in the screenshot every day. The density of
people there is so high that the location really can't be linked to anyone
specific. Plus it is real time location so you can't distinguish if this is a
person's home, someone at work, someone checking the app while sitting on a
bus, etc. This location data would be much more dangerous if it was showing
the manually entered addresses of users, a screenshot of an area with a low
density of people, or if you had constant access and could identify patterns
of locations to identify individuals.

~~~
rurounijones
To be devil's advocate, since London is _coated_ with CCTV some bad actor
(think state or organisation with access to said CCTV) here could probably
combine the location timestampw with CCTV images and identify people.

I am sure some civil servent could argue that know if people in "positions of
power" were using suchs apps that opened them up bo blackmail and that they
should be therefore checked as aprecaution.

~~~
Shoue
If you've ever had a crime committed against you in London you'll know just
how useless the CCTV can be. The quality is often so bad you can't really get
anything useful from it, and in many cases the camera isn't even
on/working/recording to anything.

~~~
dharma1
I had my bike nicked a few weeks ago in London. Turns out the council
installed new HD/4K cameras that very morning right where I left it - they
managed to ID and arrest the perp, and charge him with multiple other thefts
too.

So it looks like the crappy cctv is getting an upgrade

~~~
mjlee
Did you get the bike back?

~~~
dharma1
Unfortunately very little chance of that, long sold

------
maximente
all of this makes me wonder when - not if - there's going to be House of Cards
style blackmail + intrigue when it comes to leveraging data leaks like these
over politicians or influential people.

"vote for this or we expose your $recent_embarrassing_breach data" is quite a
powerful ultimatum, no? and the only way to win is not to play (e.g. never
download + use a potentially embarrassing app), and we know that many aren't
so digitally savvy, so this seems like a gold mine for nefarious uses.

i dunno, maybe it's too tin foily but it feels inevitable.

~~~
redleggedfrog
After this latest spiral down in the degradation of politics I feel like that
kind of information would nearly be a badge of honor. When your highest seat
of the government does pr0n stars, well, the bar is pretty low.

~~~
ultrarunner
Maybe for the type of person that ‘rises’ to political office, but regular
people probably still care quite a bit.

~~~
traderjane
Do regular people care with their words or with their votes? Because if it
just words then how much care is there? As Mitch McConnell's office has stated
recently, "Boys will be boys."

Isn't that an informal assessment of American culture?

~~~
imesh
Certainly not of corporate culture. People get fired for stuff like that all
the time. Johnah Friedland said the n-word and had to step down from Netflix
and he didn't even use it in a racist context. He only said the word as he
listed offensive words.

Weird sex stuff can certainly be used to affect people in powerful corporate
positions.

------
elmo2you
Maybe I didn't have enough coffee yet today, or maybe I'm just missing
something entirely, but.... this whole report talks about how the web API
leaks user data, right? Yet all I see in their examples are HTTPS requests.
Doesn't that require that somebody already infiltrated either a client device
(scope limited to single client), or a central server? How did they man-in-
the-middle/decrypt this HTTPS traffic?

True, if a web cache (not under exclusive control of the company) can be
queried for this data by a 3rd party, it sure is a big problem. But that is
rather an operational fuck-up more than it is a fundamental design flaw.

How did these pen testers get access to server requests, inside the HTTPS
traffic with 3fun's servers? I'm curious how they got access to this info. I'm
also curious why nobody else appears to be asking that question. Did I read
the article too quickly and miss something that explains how they did that?

~~~
kjaftaedi
They're just querying the API.

The data they are examining was meant so the app knows how many people are "in
your area" .. but instead of just giving you some vague information, it's
giving you the exact coordinates of other users, and identifying info about
them.

~~~
rossdavidh
Really, one could argue it's not even "leaking" data about other users, it's
just delivering that data to you per your request. "Leak" kind of implies at
least disclosing info about other users was not your intention, whereas this
seems more like "Delivering".

~~~
hn_throwaway_99
> "Leak" kind of implies at least disclosing info about other users was not
> your intention

That's the whole point - it's not uncommon for (very) junior programmers to
not understand the difference between client and server-side validation. This
is absolutely a leak.

------
ghostpepper
Isn't ~35 days very short for a responsible disclosure timeline? This is
extremely sensitive info and from the blog post it sounds like they didn't
even warn the company that they were planning to disclose it.

edit: didn't notice the article does mention the problem was fixed before
publishing, although they don't say how well it was fixed

~~~
rolltiide
> 3fun took action fairly quickly and resolved the problem, but it’s a real
> shame that so much very personal data was exposed for so long.

~~~
ghostpepper
Ah thanks I missed that on first scan

------
edejong
I’m just waiting for the day when Tinder is down in popularity, security fixes
are a bit more lackadaisical and a zero-day exposes a decade of personal
preferences of a large share of the population, not unlike a nuclear waste
leak. Imagine the awkwardness when a coworker finds out you swiped them left
(or right).

And no, I am not going to end this with a paternalistic or moralistic
statement.

~~~
Kuraj
> Imagine the awkwardness when a coworker finds out you swiped them left (or
> right).

This really doesn't seem like that big of a deal to me.

------
dymk
I thought “pentestpartners” was writing a self post-morem based on that
company description

~~~
jagannathtech
Thank God I'm not alone

------
Scoundreller
Penetration testing a group sex app.

I'm surprised it hasn't been done before.

~~~
hermitdev
I certainly chuckled at the combination of the title and the domain the
article is hosted at. pentestpartners sounds like it could be the name of a
group sex app...

~~~
xkcd-sucks
"penetration testing" is my new euphemism for "early stage dating"

------
oaiey
What reading this it crossed my mind that a part of this is a result of too
much frontend code. Here in exposing the location for distance purpose.

------
mschuster91
Interesting, that's the second dating app with a data leak today - Lovoo also
has one, though the data is not as fine as here.
[https://www.heise.de/newsticker/meldung/Dating-App-Lovoo-
Nut...](https://www.heise.de/newsticker/meldung/Dating-App-Lovoo-Nutzer-
koennen-leicht-geortet-werden-4492446.html)

------
stockkid
Reminds me of a similar submission a while ago:
[https://news.ycombinator.com/item?id=18029078](https://news.ycombinator.com/item?id=18029078)
Shame that they transmit sensitive information like that in a URL param in a
plaintext.

------
userbinator
I agree that the ineffective privacy setting is broken, but I feel like an app
which has as part of its functionality finding users near you, naturally needs
to tell others your location, and vice-versa. I assume any app which asks for
GPS permissions is going to phone home with your location.

~~~
ceejayoz
"There's someone within a mile of you" and "here's their coordinates down to
~30 feet, and their supposedly private photo, and their birthday" are very
different bits of info.

------
flywithdolp
That's a great example for lack of understanding of the sex app between great
UX to the risks the user face when all those features are in the app

------
ratel
Very funny: A security issue in a group sex app is reported by penetration
test partners. It could have been the name of the app.

------
tossAfterUsing
there's a group sex app? brilliant!

------
Bostonian
I doubt it is good for society for such apps to exist in the first place.

~~~
sceptically
I am curious... Why do you think so?

~~~
Bostonian
The app is promoting and is a manifestation of what a National Review essays
calls our

Our Childless, Childish Culture By MADELEINE KEARNS August 8, 2019 3:34 PM
[https://www.nationalreview.com/2019/08/our-childless-
childis...](https://www.nationalreview.com/2019/08/our-childless-childish-
culture/)

In the Western world and Asia, fertility is below replacement world, and in
the Western world, the fraction of children born out of wedlock, who do worse
than children of married couples by any measure, is rising. So I think working
on something like eHarmony is much more moral than the app discussed in this
thread.

