Hacker News new | past | comments | ask | show | jobs | submit login
Group sex app leaks locations, pics and personal details (pentestpartners.com)
362 points by chovy 66 days ago | hide | past | web | favorite | 138 comments

I’ve reported a bug like this in an application that deals with a similarly sensitive topic— They managed to call me back in 30 minutes (I never gave them my number) and had it fixed in a few hours.

I did contact them via every medium I could find, not just email. Obviously, the response these folks got from the company should have told them they were talking to the wrong person, and they should have been more vigilant in attempting to contact the right person.

I contacted similar Finnish based application about similar issues, where almost everything, including all the user images could have been collected from the json api end point.

Their response was that it is not bad system or insecure because the information is only available for logged users. So the api just needs authentication header.

So all the user data could have been easily collected to own database using simple script.

> They managed to call me back in 30 minutes (I never gave them my number)

What does this mean? They tracked you down?

I imagine most mobile apps have access to the basic dialer info of the phone they're running on.

Apple actually doesn’t expose this via any iOS APIs. Not 100% sure about Android.

Pretty sure Android does. TikTok knew my phone number before I gave it to them.

Could be as easy as a friend of yours uploading their whole address book (ostensibly “to find friends”)

On Android you need to give it the READ_PHONE_STATE permission.

Does it expose any sort of "device id"? Such ids are usually asked for by advertisers and iOS and Android gladly give it to them. I'm sure there are device-id to phone-number maps out there, and anyone with money can get access to them.

The device id that you can get via any SDK on ios is not real. And, even if you can get by any other means then Apple would not approve your app.

Consider _any_ app you've linked your email and phone number to, could (in theory) sell access to your data to any other company that only has your email, and they have both. Or (as another commentor noted) the great many apps that upload your (friends) entire contact list. Consider all the id's, fingerprinting techniques (etc) out there, juxtaposed against the high value that information has (in marketing / ad space) and it seems likely there are many ways to get this information, whether or not you provided it.

Unique device IDs are app-specific.

They did their research.

How often do the researchers get paid for doing this sort of work?

An early stage company doesn’t have much to pay you with, but they’re thankful for the help.

From my perspective, protecting the data of 10k users was just as important as— or more important than— protecting the data of 1.5m users.

I feel bad when people assume negative intent. I don’t think anyone at this company wanted to violate the privacy of their users— they just didn’t get the message through the right channels.

> protecting the data of 10k users was just as important as— or more important than— protecting the data of 1.5m users

care to elaborate on a logic behind that?

One line of reasoning is that the everyone will know about companies leaking data of millions, so they can take steps to mitigate, whereas probably no one will know about a leak like this and just live unaware


1) early users feel the most connected with your technology and are the most hurt when you screw them over. At that stage, it can sink your company. 2) fixing this when you have 10k users prevents you from leaking the data of the next 1.49m users.

In my last startup we received 5 bitcoin from Coinbase finding a relatively minor security bug. Prices were pretty low then though.

With hindsight hell of a call option.

Generally boils down to whether or not the company has some kind of bug bounty program. If they do and it’s in scope, you will probably get paid...in this case likely $1-5k.

Smaller companies that don’t have a bug bounty might provide a token reward just because, larger companies generally won’t.

Any company that hasn’t explicitly authorized ‘research’ might also choose to sue.

Larger companies put out bounties so that researchers will spend more time on specific issues they have.

Now you are assuming there IS a right person to talk to.

At a certain point I think we'll arrive at the collective realization that we all have digital skeletons in our closet. When we all stink, nobody stinks.

When everybody stink, you loose your freedom as anybody can pressure you.

It’s not because everybody stink that you know they/their stink or can exploit it.

Isn't it irresponsible for pen test partners to publish the maps with the location markers with such details as they did in London?

It's a good example of how concerning this is but they should have shown fake data there since this is still user's private data...

That is basically the middle of London. I expect hundreds of thousands of people pass through the area in the screenshot every day. The density of people there is so high that the location really can't be linked to anyone specific. Plus it is real time location so you can't distinguish if this is a person's home, someone at work, someone checking the app while sitting on a bus, etc. This location data would be much more dangerous if it was showing the manually entered addresses of users, a screenshot of an area with a low density of people, or if you had constant access and could identify patterns of locations to identify individuals.

Mayfair and Marylebone are a mix of individual houses and 5-8 storey apartment blocks. It’s not that anonymous depending on the address.

To be devil's advocate, since London is coated with CCTV some bad actor (think state or organisation with access to said CCTV) here could probably combine the location timestampw with CCTV images and identify people.

I am sure some civil servent could argue that know if people in "positions of power" were using suchs apps that opened them up bo blackmail and that they should be therefore checked as aprecaution.

If you've ever had a crime committed against you in London you'll know just how useless the CCTV can be. The quality is often so bad you can't really get anything useful from it, and in many cases the camera isn't even on/working/recording to anything.

I had my bike nicked a few weeks ago in London. Turns out the council installed new HD/4K cameras that very morning right where I left it - they managed to ID and arrest the perp, and charge him with multiple other thefts too.

So it looks like the crappy cctv is getting an upgrade

Did you get the bike back?

Unfortunately very little chance of that, long sold

At this moment it might be a concern, but in another 20-30 years (especially as organized religion fades in some countries) people will stop seeing sex as a shameful thing.

Privacy is important, however, so apps/services should not leak this kind of info. That's still a thing regardless of what the repercussions of leaked data could mean.

No state organization has access to all that CCTV. Most of them are private cameras, and most are not networked. Some of the local authorities in central London do have networked cameras facing the streets, but it's not nearly as bad as you're suggesting.

The users' data is far more secure as a result of Pen Test Partners' actions. So there's a dot on a map within a block or two of your downtown apartment, indicating that somebody in the area is freaky. As opposed to a public API leaking your location, birthdate, orientation, kinks, and nudes.

This is worse assuming it hasn't expired yet: "https\://s3.amazonaws.com/3fun/019/user-1436xxx/5858xxx-big.jpg"

all of this makes me wonder when - not if - there's going to be House of Cards style blackmail + intrigue when it comes to leveraging data leaks like these over politicians or influential people.

"vote for this or we expose your $recent_embarrassing_breach data" is quite a powerful ultimatum, no? and the only way to win is not to play (e.g. never download + use a potentially embarrassing app), and we know that many aren't so digitally savvy, so this seems like a gold mine for nefarious uses.

i dunno, maybe it's too tin foily but it feels inevitable.

Uh didn't this just happen with Bezos?

Although I heard they targeted a personal phone, I don't think it makes that much difference. Computers are insecure in all sorts of ways, whether it's your own phone or somebody's servers.

In that case they were trying to blackmail him into making some public statement, with pretty high stakes as far as I remember.

Kudos to him for not capitulating!

And it appears Jeffrey Epstein may have been using compromising information as blackmail the rich and powerful then laundered the money through a fraudulent hedge fund operation.

This is a tangent but is that what it appears to be? Some people must really like associating with their blackmailers if that's the case.

Maybe Epstein never actually needed to blackmail anyone? Maybe they were just happy to be sold tickets on the Lolita Express? I’m sure he kept some blackmail material regardless, which will soon be revealed.

> Some people must really like associating with their blackmailers if that's the case.

Or their blackmailers require the social engagements and outwardly positive attitude as part of the blackmail.

IIRC, the brother of Bezos' girlfriend sold the texts to the media. The good old way of getting the goods, just pay somebody close to it ;)

Bezos' investigator Gavin De Becker claims that the Saudis hacked the phone. National Enquirer already knew about the affair when they contacted the brother.

It’s well known that the FBI had dossiers on political opponents that were used to silence them, or attempt to silence them (Daniel Ellsberg, Martin Luther King). What you’re proposing would merely be the same concept with a different leverage mechanism. I’m sure private interests would also have the same ideas.

It is a lot easier to collect this kind of data as well.

You're right, and that's where the parallel I offered kind of breaks down: the digital-domain hacks can scale much more readily than the older ones could, and even at the targeted level, digital information-gathering may be less risky.

If there's anybody that actually thinks that conspiratorial, consider two mutually exclusive options, one of which must be true:

1) Companies collecting massive amounts of data will only use the data in a lawful and ethical fashion, even in cases where they perceive there to be a potential for significant gain in misuse.

2) Companies collecting massive amounts of data will, sooner or later, use that data in an unlawful or unethical fashion to exploit others in a way that stands to potentially significantly boost their power/influence/wealth.

I'm going a far step above beyond and suggesting the exploitation will come, not from leaks, but directly from the data harvesting companies. The reason is simple. Again, the two scenarios above are mutually exclusive and one must be true. So what would you place the probability weighting as? I think most of everybody would agree that the probability of #2 is very near 100%. It's also possible that it is literally 100%, in that it has already happened but we don't know about it. Truly effective blackmail would obviously not be headline news.

#2 Already happened:

"Hundreds of Bounty Hunters Had Access to AT&T, T-Mobile, and Sprint Customer Location Data for Years"


It's entirely possible that this has already happened but no one knows other than the blackmailer and victim know.

It'a plausible but not very probable, at least as far as policy positions are concerned. With the current campaign financing laws, there are legal ways to coerce politicians into voting a certain way. It's more risky to blackmail them.

But money only goes so far. Some things cannot be bought, but they can be coerced.

Like what?

Compare Lindsay Graham re: Trump in 2015 vs. 2017


He was very anti Trump and then later pro Trump. Though it's not clear it's a result of coercion or anything other than Graham capitulating to work to get stuff done

He's a republican. The approach he used - if you can't beat them then join them. Not sure if T has any dirt on him.

Along the lines - Chris Christie was also very anti T before T got the nomination.

He switch almost immediately after McCain died. Almost as if McCain had some kind of hold over him.

After this latest spiral down in the degradation of politics I feel like that kind of information would nearly be a badge of honor. When your highest seat of the government does pr0n stars, well, the bar is pretty low.

> When your highest seat of the government does pr0n stars, well, the bar is pretty low.

So by that logic JFK and MLK were also pretty low? Oh wait--I'm not sure they were doing actual porn stars.

No, not much different. Not sure what it is about politics and/or power that somehow makes it so difficult to keep it in your pants.

You've probably got the direction of causation backwards.

People who want lots of sexual partners seek ways to get that. Many people are attracted to the powerful. So people who can't stand to keep it in their pants are more likely to seek positions of power.

>Not sure what it is about politics and/or power that somehow makes it so difficult to keep it in your pants.

Sexual aggression has been a virtue signal of male power and status since the days when kings compared the size of their slave harems. Modern men have been taught through all forms of commercial media that their value as people is directly proportional to the amount of casual sex they have. Culturally, power and sex have always been linked.

When Trump said he could just grab women by the pussy and get away with it, of course, he was right. At that level of privilege one often doesn't need to keep it in their pants. Propriety and chastity are for lesser men to whom legal and social consequences can be applied.

Yes, the badge of honor I mentioned earlier. Still disappointing. You'd think we'd be better than this, by now.

Two steps forward, one step back, unfortunately. It's difficult to make progress when rape culture is a billion dollar industry and we're in the midst of an anti-progressive social backlash. At least every now and then a Bill Cosby or Harvey Weinstein gets raked over the coals.

Maybe it's simply due to the existence of social media and an actual positive effect of "outrage culture" but a few decades ago such people would have been all but untouchable.

I think most people who are concerned are bothered by the non-consensual activity. The people most likely to make public complaints about marital infidelity only do so for their political opponents and and voted for him by something like 90%.

Maybe for the type of person that ‘rises’ to political office, but regular people probably still care quite a bit.

> "You know the cream rises to the top!"

> "So does the scum," said Vimes automatically

-- Snuff by Terry Pratchett

My only real regret from reading Discworld was not keeping a set of notes of memorable quotes/thoughts.

Do regular people care with their words or with their votes? Because if it just words then how much care is there? As Mitch McConnell's office has stated recently, "Boys will be boys."

Isn't that an informal assessment of American culture?

Certainly not of corporate culture. People get fired for stuff like that all the time. Johnah Friedland said the n-word and had to step down from Netflix and he didn't even use it in a racist context. He only said the word as he listed offensive words.

Weird sex stuff can certainly be used to affect people in powerful corporate positions.

McConnell’s office did not state that. Search the web for “mcconnell fake quote” for info.

It seems like something obvious enough that I would be surprised if it wasn't already done.

The sheer volume of data and highly motivated state actors who are outside any legal risk both seem pretty high.

you can also win by presenting a public persona that is slightly degenerate/shambolic, so such an embarrassment will only add to your appeal in your support base...


The Trump / Johnson play.

I figured as much, and these are not slightly shambolic. (I can not say for Johnson, don't know enough about him.)

I would be shocked if this isn't happening all the time.

I actually worry more about the other threat implied by your use of dynamically inserting kompromat in a message.

Imagine sending emails like that at scale in key voting districts. Sure it would get shut down. Substantial, irrevocable damage could still be done in the form of voter suppression.

> Sure it would get shut down.

You mean it would get shut down if done officially? Otherwise, I don't really see an option of shutting it down once the emails are underway. I doubt that providers will manually kill emails from their users' mailboxes, even if they were allowed to.

One thing rarely discussed with a Gmail hack is that it isn't just email, it's location history, search history, backed-up photos, app store history (on Android) AND browsing history. With that data almost anyone could be a blackmail target.

I don't think you're far off. Plus, who knows how long the bad guys had to harvest this stuff prior to the good guys finding it. Or I wouldn't put it past some foreign hacker agency or even the NSA from scooping it up for a rainy day.

At some point, I think the public will just stop caring. American society has already reached that level in some ways. I can't imagine the President's supporters caring about anything bad he's ever done.

well, black mirror ( the TV series ) has played with this topic. It has already played out in some ways where there's been stories of people being manipulated because they get compromising video by hijacking peoples cams then they leverage that to get more. So, there is a good possibility it's playing out involving people of influence

What makes you think it hasn't already been done, exposed and dismissed as conspiracy theory?

It wouldn't matter if we weren't so uptight about sex (thanks, christianity!) Granted what goes on behind your doors may not be what I want to see, but it should not cost you much more than a red face and some banter down the pub if it comes out. And perhaps not even that. Sex is sex, let's chill out about it.

It would be somewhat surprising to me if this hadn't already happened.

This is the best explanation available for why the "black budget" grows ever larger. Who would dare vote against that? Maybe an angel? Maybe someone so obviously corrupt and disgusting that additional proof of those qualities wouldn't surprise any voter.... hmmmm.

Sex with more than one person at a time is corrupt and disgusting, apparently.

May I be allowed a different opinion?

Isn't the problem hypocrisy rather than group sex? You can perfectly legally have group sex in the UK (if all participants are legally consenting), the people most likely to object are those who think they're in a trusting monogamous/monoandrous relationship with one of the participants.

The primary reasons people can be blackmailed seem to be because they've not been forthright, or, they themselves perceive it as wrong.

I'd extend that to hypocrisy and/or dishonesty, and yes those are valid objections (IMO the only ones), but my problem is the apparent view that the act alone is socially reprehensible, not the secondary issues of being two-faced, or going behind your partner's back without their knowledge.

So yes I completely agree with you, once those 2 issues have been teased apart. The GP comment with "obviously corrupt and disgusting" was objectionable. TBF looking at other comments I see little or none of that.

Somehow you've completely misunderstood the comment above.

To be fair, the users could just be staff or interns. I don't believe anyone is suggesting Trump or Boris Johnson are using 3fun.

As pointed out in the article, it could be someone having a bit of cheap fun with a spoofed GPS.

All it takes is staff or interns to compromise an entire political campaign. Just because they aren't the primary candidate doesn't mean they don't have access via blackmail to the information someone is looking for. It really is a huge security nightmare with people that have a candidate's calendar or even access to a candidate's email. Also, in terms of Trump possibly being compromised. Google Jeffrey Epstein.

To be clear, I do not have any illusory perception of the personal morality of Trump, it's just that location data isn't enough to really tie anyone to any official or important person. You can just claim it was an intern even if it was the politician was the user and fire the intern. My point is it's not as potentially damaging as say actual evidence of scandalous behavior is.

For example, there was the comedic Ted Cruz twitter scandal in which his account liked a pornhub video featuring incest play. He claimed it was a staff mistake and moved on.

If only all the people being paid to automate regular jobs could automate the government instead using open source software.

when? right now!

Maybe I didn't have enough coffee yet today, or maybe I'm just missing something entirely, but.... this whole report talks about how the web API leaks user data, right? Yet all I see in their examples are HTTPS requests. Doesn't that require that somebody already infiltrated either a client device (scope limited to single client), or a central server? How did they man-in-the-middle/decrypt this HTTPS traffic?

True, if a web cache (not under exclusive control of the company) can be queried for this data by a 3rd party, it sure is a big problem. But that is rather an operational fuck-up more than it is a fundamental design flaw.

How did these pen testers get access to server requests, inside the HTTPS traffic with 3fun's servers? I'm curious how they got access to this info. I'm also curious why nobody else appears to be asking that question. Did I read the article too quickly and miss something that explains how they did that?

They're just querying the API.

The data they are examining was meant so the app knows how many people are "in your area" .. but instead of just giving you some vague information, it's giving you the exact coordinates of other users, and identifying info about them.

Really, one could argue it's not even "leaking" data about other users, it's just delivering that data to you per your request. "Leak" kind of implies at least disclosing info about other users was not your intention, whereas this seems more like "Delivering".

> "Leak" kind of implies at least disclosing info about other users was not your intention

That's the whole point - it's not uncommon for (very) junior programmers to not understand the difference between client and server-side validation. This is absolutely a leak.

> How did they man-in-the-middle this HTTPS traffic?

The easiest way would be to use a HTTPS debugging proxy like Charles.

But really, since the testers control the client device, they can do whatever they want.

The problem is that 3fun trusts the client to keep other users data private. This is pretty obviously a bad idea, since attackers can modify the client in pretty much any way they like.

They are using Burp to proxy the HTTP requests. Assuming there's no proper CA validation on the client side or client certificates, it's quite trivial.

Thanks, everyone, for your answers.

I made the mistake of assuming that the web API would only give access to data related to a specific client device (thus only "leaking" info about that client).

If their web API gives access to info of other clients, that is indeed a serious design fuck-up.

I don't know how this was done, but traffic could presumably be intercepted by using a proxy and installing the certificate for the proxy on the device - you have a secure connection from the app to the proxy and a separate secure connection from the proxy to the servers but the proxy gets to see all traffic in the clear.

Isn't ~35 days very short for a responsible disclosure timeline? This is extremely sensitive info and from the blog post it sounds like they didn't even warn the company that they were planning to disclose it.

edit: didn't notice the article does mention the problem was fixed before publishing, although they don't say how well it was fixed

> 3fun took action fairly quickly and resolved the problem, but it’s a real shame that so much very personal data was exposed for so long.

Ah thanks I missed that on first scan

Not sure how comfortable I am with them posting unredacted map screenshots of PII...

I’m just waiting for the day when Tinder is down in popularity, security fixes are a bit more lackadaisical and a zero-day exposes a decade of personal preferences of a large share of the population, not unlike a nuclear waste leak. Imagine the awkwardness when a coworker finds out you swiped them left (or right).

And no, I am not going to end this with a paternalistic or moralistic statement.

> Imagine the awkwardness when a coworker finds out you swiped them left (or right).

This really doesn't seem like that big of a deal to me.

I thought “pentestpartners” was writing a self post-morem based on that company description

Thank God I'm not alone

Penetration testing a group sex app.

I'm surprised it hasn't been done before.

I certainly chuckled at the combination of the title and the domain the article is hosted at. pentestpartners sounds like it could be the name of a group sex app...

"penetration testing" is my new euphemism for "early stage dating"

I know you’re joking but I think it’s a big problem in a lot of these very private apps that don’t get a lot of security attention before they’re released. Lovense, for example, is a pretty popular smart toy brand that has a bit of a history of security & privacy issues. Both device hacking[1] and sketchy data collection[2].

I don’t know if it’s because they’re less secure than their competitors or because they’re a bigger brand so their security is looked at more often. I suspect they have terrible security but are probably a lot more secure than their smaller competitors.

[1] https://www.newsweek.com/hacked-butt-plug-controlled-anywher...

[2] https://www.helpnetsecurity.com/2017/11/13/lovense-bug/

Reminds me of Fufme: http://www.easylife.org/fufme/

I'm sure there are a few back doors as well.



Careful of any leaks

Australians only: somebody definitely got rooted.

I've long maintained that the only reason that "router", against all convention, is pronounced "rouw-ter", is that nobody is going to stand at the front of a lecture hall or meeting room and discuss a piece of hardware called a "rooter".

It's pronounced "rooter" in the UK. The wood-working tool spelled the same way is a "rowter" though.

What reading this it crossed my mind that a part of this is a result of too much frontend code. Here in exposing the location for distance purpose.

Interesting, that's the second dating app with a data leak today - Lovoo also has one, though the data is not as fine as here. https://www.heise.de/newsticker/meldung/Dating-App-Lovoo-Nut...

Reminds me of a similar submission a while ago: https://news.ycombinator.com/item?id=18029078 Shame that they transmit sensitive information like that in a URL param in a plaintext.

I agree that the ineffective privacy setting is broken, but I feel like an app which has as part of its functionality finding users near you, naturally needs to tell others your location, and vice-versa. I assume any app which asks for GPS permissions is going to phone home with your location.

"There's someone within a mile of you" and "here's their coordinates down to ~30 feet, and their supposedly private photo, and their birthday" are very different bits of info.

These apps only display a very rough location - nobody reasonably expects for their precise GPS coords to be disclosed

That's a great example for lack of understanding of the sex app between great UX to the risks the user face when all those features are in the app

Very funny: A security issue in a group sex app is reported by penetration test partners. It could have been the name of the app.

there's a group sex app? brilliant!

I doubt it is good for society for such apps to exist in the first place.

The assertion being people who want to have threesomes are less likely to have children?

I suppose that could be the case, however I am fairly unconvinced that this has any real affect on the population in comparison to the cost of having a child coupled with the rise of understanding the costs involved with having a child.

I am curious... Why do you think so?

The app is promoting and is a manifestation of what a National Review essays calls our

Our Childless, Childish Culture By MADELEINE KEARNS August 8, 2019 3:34 PM https://www.nationalreview.com/2019/08/our-childless-childis...

In the Western world and Asia, fertility is below replacement world, and in the Western world, the fraction of children born out of wedlock, who do worse than children of married couples by any measure, is rising. So I think working on something like eHarmony is much more moral than the app discussed in this thread.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact