There are many dating apps targeted to the LGBTQ people are unsafe to use and have had a history of leaking personal information of its users, a cyber security researcher said. He added that if people insist on using dating apps, they should choose those that have a bug bounty program.
Last week, the lesbian dating app Rela, popularly used in China, was discovered to have exposed the data of more than five million users including their private and intimate status updates, which some contains some form of personal identification. Geolocations, for those who allowed the app to access. It was also exposed in the database that was not protected by a password.
The database was discovered by a cyber security researcher, Victor Gevers, who posted about the exposed database on his personal Twitter account. Gevers is known to have disclosed several vulnerable databases in MongoDB in the past have been helping the involved companies to secure their data. Gevers was the one responsible for discovering the now-infamous “BreedReady” database containing identifiable information of millions of Chinese women including their name, address, phone number, and breed readiness status.
In a private chat, Gevers told Z6Mag that the dating app, Rela, had a “serious security issue for years.” He said that the database with all the user data was freely accessible to anyone, including cyber criminals and anti-gay movements, with Elasticsearch via a web browser.
The database found by Gevers contains information from 5.3 million app users with each record included their nicknames, dates of birth, height and weight, ethnicity, and sexual preferences and interests. Records also, where users permitted, included their precise geolocation. The database also contained more than 20 million “moment,” or status updates – including private data.
The tech expert believes that the database has been exposed and accessible since July 2018 and no one knows who have already accessed it and exfiltrated the data contained in the database.
Gevers explained that aside from the fact that the said database can be easily searched through browsing the internet, it is also communicating with the server via HTTP and not HTTPS. Explaining the gravity of the security concern, Gevers highlighted how it is easy for other people to “eavesdrop” when other people are on the same WiFi network.
“This is a real privacy issue,” Gevers stressed out.
Because of what he discovered, Gevers advised everyone not to use the dating site anymore, adding that it also has other security risks aside from the reckless exposure of the database. When asked if his warning enveloped all gay dating apps considering that there are other similar smartphone applications have been tagged to be a security threat like Grindr and the increasing call of concern against the geolocation feature that these apps offer, Gevers said that he cannot comment on other apps but only to those that went public.
“The privacy of people is very important. And I assume that for people who use these services, they should not be worried about their privacy and safety. But we have seen countless examples of dating apps b for LGBTQ which were not secured at all,” Gevers told Z6Mag.
When pressed to mention what other apps were considered security threats, he mentioned that he could only talk about those that they have previously reported. However, he cannot mention those that were kept close as they advocate for responsible disclosures.
However, Gevers cited Grindr as an example. Grindr, a dating app that is known to use geolocation has been swarmed with controversy over the security of user’s data. While there is no reported breach from Grindr, users are gradually pulling their accounts away as the risks become more apparent to them. In 2014, it was reported that the app’s relative distance measurements could allow people to locate individual users, thus, compromising its privacy.
Today, the said app is being used by countries especially in United Arab Emirates, Indonesia, Ukraine, Russia, and Egypt to track and arrest gay men; which is a significant violation to the individuals’ data privacy.
Read More: APPEAL AGAINST GRINDR’S LIABILITY OVER HARASSMENT ON THE APP REJECTED; CONFIRMS THE EXTENT OF CDA PROTECTION TO APPS
Gevers also mentioned the Jack’d, another gay dating app, to have been leaving images posted by users and marked as “private” and chat sessions open in a database, potentially exposing the privacy of thousands and users. The breach was first reported in February 2019.
In the end, Gevers said that he definitely would advice everyone to not use Rela anymore, but for those who still want to use some problematic apps for some reasons, he said that users should choose dating apps with bug bounty programs because they are the most trustable. A bug bounty program pays white hat hackers some sort of bounty, usually monetary for reporting security issues.
“That is not practical. I would advice to not use Rela for sure. The best dating apps with bug bounty programs are the most trustable because they pay bounties for reported security issues,” he added. /apr