Feeld dating app – Your nudes and data were publicly available
The Feeld dating app has critical security vulnerabilities allowing unauthorized access to user data, including private messages and sensitive media, highlighting an urgent need for improved security measures.
Read original article
The Feeld dating app has been found to have significant security vulnerabilities that expose users' private data, including sensitive images and messages. A recent security assessment revealed multiple instances of broken access control, allowing unauthorized access to various user information. Non-premium users can access profile details of premium users, read private messages, and even manipulate other users' profiles. The vulnerabilities include unauthenticated access to attachments, enabling attackers to view photos and videos shared in chats. Specifically, attackers can exploit the app's API to retrieve both replayable and time-limited media without authentication. This situation raises serious concerns about user privacy and data security within the app, highlighting the need for improved security measures to protect sensitive user information.
- Feeld app has critical security vulnerabilities exposing user data.
- Non-premium users can access premium user information and private messages.
- Attackers can retrieve photos and videos shared in chats without authentication.
- The vulnerabilities stem from broken access control as per OWASP Top 10.
- Urgent need for enhanced security measures to protect user privacy.
Related
Bumble and Hinge allowed stalkers to pinpoint users' locations down to 2 meters
Researchers from KU Leuven found vulnerabilities in dating apps like Bumble and Hinge, allowing stalkers to pinpoint users' locations. Affected apps have since improved their distance filters to enhance user privacy.
Flightaware Security Breach
FlightAware reported a security breach on July 25, 2024, exposing user personal information. Affected users must reset passwords, raising concerns about security practices and accountability for data breaches.
FlightAware configuration error leaked user data for years
FlightAware reported a data security incident exposing user information for over three years due to a configuration error. Affected users must reset passwords and are offered 24 months of identity protection.
Client-side filtering of private data is a bad idea
Matthew Garrett revealed security vulnerabilities in the dating app Feeld, indicating misleading privacy claims, retrievable sensitive data, and challenges in reporting issues, stressing the need for robust security measures.
Therapy Sessions Exposed by Mental Health Care Firm's Unsecured Database
A data breach at Confidant Health exposed sensitive patient information, including therapy recordings, due to an unsecured database. Experts stress the need for improved data security in telehealth services.
26 commentsWhile it is conceptually easy to avoid this, I have seen similar mistakes much more frequently than I would like to admit.
Edit: the solution "check all permissions on the backend" reminds me of the solution to buffer overflows: "just add bounds checks everywhere". It's clear to the community at large what needs to be done, but getting everyone to apply this consistently is... not so easy.
And while this dating app isn’t well known, it caters to people with different tastes (such as bdsm and group sex) and queer people. Needless to say that this is very sensitive in many parts of the world.
https://www.theguardian.com/technology/article/2024/sep/08/t...
Maybe it's time for an open source federated dating service or something. Or at least something that doesn't sell your data, doesn't leak your nudes, or doesn't get you beaten up/raped/murdered. Probably easier said than done.
I'm a game developer and we put more effort into keeping our game fair than this company does in keeping it's users safe. They should be sued into oblivion.
GraphQL allows your front-end to query your data. Which is cool. But from the backend this is all really opaque (and usually implemented by a 3rd party library that has no idea about your access control).
Unless you're going to implement your access control in the database itself (not the worst idea, certainly better than doing it in the front end), then it's very hard to unwrap the GraphQL query in backend code to work out exactly what records should be returned/restricted.
Implementing decent access control in the backend means understanding the query and implementing a whole set of models/classes/functions/whatever that grok the database schema and can make decisions about "if the user_id is XXX then it can/cannot see this image in this context" [0]. They obviously implemented this in the front end because that's a lot easier with GraphQL.
I'm not saying this is a good implementation of GraphQL and that therefore the problem lies with GraphQL exclusively. I'm saying that GraphQL makes this mistake easier to make because it explicitly tries to remove the need for the backend to understand the query and so makes this kind of complex security situation harder.
[0] e.g. a specific image may be publicly accessible from the user's profile, or only available to matches, or only in a chat context (but not group chats), and inaccessible at any time from blocked users, etc. You can easily come up with a bunch of complex edge cases for just this one case.
Is it education problem? If so if there was training budget a day or two running against some simple capture the flag exercise might do a lot...
The Guardian article: https://www.theguardian.com/business/2024/sep/17/dating-app-...
I just read this and attempted to delete mine and my partners profile data. The process is currently totally broken in-app. There is no way to proceed past a certain point. There's nothing self-identifying about us in the app but still.... I'm furious.
Even with a full redesign/rebuild over the past year it still is nothing but glitchy software.
"BRB going to slaughter everyone my wife has chatted to"
Hard to believe the levels of incompetence here
They have investor funding ... how come no due diligence was done ?
I didn't realise the problems were this bad. They've had massive issues with their tech stack from a user POV. I've multiple times had my phone running incredibly hot while using it.
Related
Bumble and Hinge allowed stalkers to pinpoint users' locations down to 2 meters
Researchers from KU Leuven found vulnerabilities in dating apps like Bumble and Hinge, allowing stalkers to pinpoint users' locations. Affected apps have since improved their distance filters to enhance user privacy.
Flightaware Security Breach
FlightAware reported a security breach on July 25, 2024, exposing user personal information. Affected users must reset passwords, raising concerns about security practices and accountability for data breaches.
FlightAware configuration error leaked user data for years
FlightAware reported a data security incident exposing user information for over three years due to a configuration error. Affected users must reset passwords and are offered 24 months of identity protection.
Client-side filtering of private data is a bad idea
Matthew Garrett revealed security vulnerabilities in the dating app Feeld, indicating misleading privacy claims, retrievable sensitive data, and challenges in reporting issues, stressing the need for robust security measures.
Therapy Sessions Exposed by Mental Health Care Firm's Unsecured Database
A data breach at Confidant Health exposed sensitive patient information, including therapy recordings, due to an unsecured database. Experts stress the need for improved data security in telehealth services.