A significant security lapse at the popular dating app Raw has led to the public exposure of sensitive user information, including personal data and precise location details. This alarming discovery was reported by TechCrunch, which found that the leaked data included users’ display names, dates of birth, dating preferences, and even location coordinates that could pinpoint users with street-level accuracy.
Launched in 2023, the Raw dating app aims to foster more authentic interactions among users by requiring them to upload daily selfies. While the company has not disclosed its total number of users, their app listing on the Google Play Store indicates over 500,000 downloads on Android devices. The timing of this security breach is particularly concerning, as it coincides with Raw’s announcement of a new hardware extension, the Raw Ring. This unreleased wearable device is designed to track partners’ heart rates and provide AI-generated insights, ostensibly to detect infidelity.
The ethical implications of tracking romantic partners raise significant moral questions. Despite this, Raw claims on its website and in its privacy policy that both the app and the forthcoming device utilize end-to-end encryption. This feature is intended to ensure that no one, including the company itself, can access user data. However, a recent investigation by TechCrunch revealed a lack of evidence supporting this claim, as the app was found to be leaking user data publicly.
Following TechCrunch's alert about the vulnerability, Raw swiftly addressed the issue. Marina Anderson, the co-founder of the Raw dating app, stated in an email, “All previously exposed endpoints have been secured, and we’ve implemented additional safeguards to prevent similar issues in the future.” However, when pressed on whether the company had conducted a third-party security audit, Anderson admitted that they had not and emphasized their focus on product development and community engagement.
While Anderson did not confirm plans to proactively inform users affected by the data exposure, she indicated that a detailed report would be submitted to relevant data protection authorities under applicable regulations. The duration of the data leak remains unclear, as the company continues to investigate the incident.
TechCrunch's investigation revealed how easily the data exposure occurred. By installing the Raw app on a virtual Android device, the team created a new user account using dummy information. Upon granting the app access to its precise location, the team monitored the network traffic using a traffic analysis tool. Within minutes, they discovered that the app was retrieving user profile information directly from Raw’s servers without proper authentication measures.
This vulnerability, identified as an insecure direct object reference (IDOR), allowed anyone to access personal information by changing the unique identifiers in the app's URLs. This lack of security checks can lead to severe data breaches, making sensitive information accessible to unauthorized users. The U.S. cybersecurity agency CISA has long warned about the risks associated with IDOR vulnerabilities, emphasizing the need for proper authentication and authorization checks in app development.
As Raw has resolved the immediate security concerns, it is crucial for the company to prioritize user safety and trust. Implementing comprehensive security audits and adhering to best practices in data protection will be essential in restoring confidence among its user base. The exposure of such sensitive information underscores the necessity for dating apps and other digital platforms to adopt stringent security protocols to safeguard user data.