3Fun, a threesome dating app with more than 1.5 million users, exposed sensitive data, including real-time locations and private pictures.
The app’s lack of security was discovered by Pen Test Partners, who claimed that 3Fun has what is “probably the worst security of any dating app we’ve ever seen” with no user data protected by encryption.
According to Pen Test Partners, other dating apps like Grindr have been criticized for revealing users’ locations in the past through trilateration, which retrieved a person’s exact location by exploiting the apps’ “distance to me” feature by spoofing GPS positions.
3Fun, however, extracted the user’s latitude and longitude coordinates, and even if they restricted the sending of that information, the data was still on the server. Through it, Pen Test Partners was able to determine the locations of group meeting app users in several major cities. Some have even been found in the White House, the US Supreme Court and 10 Downing Street in London, although they probably faked their locations.
Pen Test Partners also found that people’s private photos on 3Fun were also exposed, even when they used the appropriate privacy settings. Other user information exposed includes dates of birth, gender, sexual orientation, and preferred matches. In addition, users can spoof their location to find out information about other users in a certain area.
Pen Test Partners forwarded its findings to TechCrunch, which ran the same tests and confirmed the findings against 3Fun’s security.
Worse, when Pen Test Partners contacted 3Fun on July 1 about data privacy concerns, the team behind the app asked for suggestions on what they could do to fix the issues. Pen Test Partners founder Ken Munro told TechCrunch that it took the 3Fun team weeks to fix the issues.
“3fun took action pretty quickly and fixed the problem, but it’s a real shame that so much very personal information was exposed for so long,” according to Pen Test Partners.
Data privacy concerns involving dating apps follow the debacle with Coffee Meets Bagel, which announced on Valentine’s Day that an unauthorized party had gained access to user data.
Editor’s recommendations
Categories: GAMING
Source: newstars.edu.vn