Client-side filtering of private data is a bad idea
Matthew Garrett revealed security vulnerabilities in the dating app Feeld, indicating misleading privacy claims, retrievable sensitive data, and challenges in reporting issues, stressing the need for robust security measures.
Read original article
Matthew Garrett discusses the security vulnerabilities he discovered in the dating app Feeld, which is popular among alternative relationship communities. He highlights that the app's claim of protecting user privacy is misleading, as he found that private data could be accessed through simple queries. By analyzing the app's code, he identified that certain fields, such as "lookingFor" and "ageRange," were not displayed in the user interface but were still retrievable through the app's queries. This indicates that the app was not adequately protecting sensitive information. Additionally, hidden profiles were still included in the data sent to the app, raising further privacy concerns. Garrett faced challenges in reporting these issues, as there was no clear security contact, but eventually communicated with Feeld's security team, who confirmed that the vulnerabilities had been addressed. He emphasizes that client-side filtering is insufficient for protecting private data and that developers must implement robust security measures to prevent unauthorized access. While he acknowledges that some aspects, like private images and location data, appeared to be secure, he stresses the importance of thorough verification to ensure all potential vulnerabilities are resolved.
- Feeld's privacy claims were found to be misleading, as private data could be accessed through queries.
- Sensitive fields were retrievable even if not displayed in the app's user interface.
- Hidden profiles were still included in data sent to the app, raising privacy concerns.
- Garrett faced difficulties reporting the vulnerabilities but successfully communicated with Feeld's security team.
- Emphasizes the need for robust security measures beyond client-side filtering to protect private data.
Related
Bumble and Hinge allowed stalkers to pinpoint users' locations down to 2 meters
Researchers from KU Leuven found vulnerabilities in dating apps like Bumble and Hinge, allowing stalkers to pinpoint users' locations. Affected apps have since improved their distance filters to enhance user privacy.
Online Dating
The article critiques online dating platforms for flawed business models and suggests charging men more to balance gender ratios. It advocates for compatibility questions, social media links, and CRM-like interfaces to improve user experience.
Corporate Secrets Were Left Exposed. This Guy Found Them All
Bill Demirkapi discovered over 15,000 hardcoded secrets and 66,000 vulnerable websites, highlighting significant security risks and the need for better reporting mechanisms and innovative solutions in cybersecurity.
Online dating apps struggle as people swear off swiping
Bumble's shares dropped 30% due to disappointing earnings, reflecting broader dissatisfaction in the online dating industry, where users prefer in-person interactions and safety concerns are prevalent despite its utility.
Complicated app settings are a threat to user privacy
Complicated default settings in popular mobile apps can expose user data, as seen with Venmo and Apple's Journal. Users must actively manage permissions to protect their privacy effectively.
12 commentsThe article is mostly about the resulting security by obscurity being broken.
Incredibly common in my experience in the security field.
So they’ve removed the server from the filtering process but made the privacy implications far worse.
The idea that dating app could prevent your preferences from being collected seems unlikely to me too. If people are posting profiles and messaging each other on a platform, that platform is going to have no problem learning what their interests are. They don't need to know what you're searching for, as long as they know who you're finding.
BTW if some user of a dating service is concerned about his/her own searches... More than beings scared about "potential client-side leaks other dating service user might harvest" try to concentrate on how much personal dating interests the service can harvest and eventually re-sell, if not "the service" just some working for it and having some side business...
Related
Bumble and Hinge allowed stalkers to pinpoint users' locations down to 2 meters
Researchers from KU Leuven found vulnerabilities in dating apps like Bumble and Hinge, allowing stalkers to pinpoint users' locations. Affected apps have since improved their distance filters to enhance user privacy.
Online Dating
The article critiques online dating platforms for flawed business models and suggests charging men more to balance gender ratios. It advocates for compatibility questions, social media links, and CRM-like interfaces to improve user experience.
Corporate Secrets Were Left Exposed. This Guy Found Them All
Bill Demirkapi discovered over 15,000 hardcoded secrets and 66,000 vulnerable websites, highlighting significant security risks and the need for better reporting mechanisms and innovative solutions in cybersecurity.
Online dating apps struggle as people swear off swiping
Bumble's shares dropped 30% due to disappointing earnings, reflecting broader dissatisfaction in the online dating industry, where users prefer in-person interactions and safety concerns are prevalent despite its utility.
Complicated app settings are a threat to user privacy
Complicated default settings in popular mobile apps can expose user data, as seen with Venmo and Apple's Journal. Users must actively manage permissions to protect their privacy effectively.