A security interval for App’s appointments publicly exposed personal data and data on the private position of its users, discovered Techcrunch.
The data on display included users’ view names, birth dates, dating and sexual preferences associated with the RAW app, as well as the position of users. Some of the positions on the position included coordinates that were quite specific to identify the RAW apps with precision at the street level.
Raw, launched in 2023, is an app of appointments that claims to offer more authentic interactions with others in part by asking users to upload photos of daily selfies. The company does not disclose the number of users, but its list of apps on Google Play Store known to date more than 500,000 Android downloads.
The news of the security interval arrives in the same week in which the startup has announced a hardware extension of its appointment app, the raw ring, an unpublished wearable device that claims that it will allow app users to keep track of the heart rate of their partner and other sensor data to receive intuitions generated by the AI, apparently to detect infidelity.
Despite the moral and ethical issues of monitoring romantic partners and the risks of emotional surveillance, RAW statements on its website and in its privacy policy that its app and its unpublished device, both use end-to-end encryption, a security function that prevents anyone other than the user, including society, to access data.
When we tried the app this week, which included an analysis of the app network trafficking, Techcrunch has not found evidence of the fact that the app uses end-to-end encryption. Instead, we discovered that the app was publicly paying the data on its users to anyone who had a web browser.
Raw resolved exposure to data on Wednesday, shortly after Techcrunch contacted the company with the details of the bug.
“All the previously exposed endpoints have been guaranteed and we have implemented further guarantees to prevent similar problems in the future,” Marina Anderson, co-founder of the Raw Dating app, told Techcrunch.
When asked by Techcrunch, Anderson confirmed that the company had not performed a third -party safety audit of its app, adding that its “focus remains on the construction of a high quality product and significantly involving our growing community”.
Anderson would not be committed to proactively notifying interested users that their information was exhibited, but stated that the company would “submit a detailed report to the data protection authorities relevant to applicable regulations”.
It is not known immediately for how long the app was publicly paying the data of its users. Anderson said the company was still investigating the accident.
As for the statement that the app uses end-to-end encryption, Anderson said that Raw “uses encryption in transit and applies access controls for sensitive data within our infrastructure. Further steps will be clear after having thoroughly analyzed the situation”.
Anderson would not have told him when he was asked, if the company plans to adapt his privacy policy and Anderson did not respond to an e-mail of techcrunch follow-up.
As we found the data on display
Techcrunch discovered the bug on Wednesday during a short app test. As part of our test, we have installed the raw dating app on a virtualized Android device, which allows us to use the app without having to provide data from the real world, such as our physical position.
We created a new user account with fictitious data, as a name and a date of birth, and configured the position of our virtual device to appear as if we were in a Mountain View museum in California. When the app requested the position of our virtual device, we allowed access to the app to our precise position up to a few meters.
We used a network trafficking analysis tool to monitor and inspect the data that flow inside and outside the RAW app, which allowed us to understand how the app works and what types of data the app was loading on its users.
Techcrunch has discovered exposure to data in a few minutes from the use of the RAW app. When we uploaded the app for the first time, we discovered that it was extracting the user profile information directly from the company’s servers, but that the server did not protect the data returned with any authentication.
In practice, this meant that anyone could access any other user private information using a web browser to visit the web address of the exposed server – api.raw.app/users/ followed by a unique number of 11 digits corresponding to another user user. Modification of the figures so that it corresponds with the 11 -digit identifier of any other user has returned private information from the profile of that user, including their data on the position.
This type of vulnerability is known as a reference of direct or idor direct objects, a type of bug that can allow someone to access or modify the data on someone else’s server due to the lack of adequate security checks on the user who accesses the data.
As we have explained previously, Idor’s bugs are similar to having a key for a private mailbox, for example, but the key can also unlock any other mailbox on that same road. Therefore, the Idor bugs can be exploited with ease and in some cases listed, allowing access to the record after the user’s data record.
The US Cybersecurity Cisa agency has long warned of the risks that the Idor bugs have, including the ability to access typically sensitive data “on large scale”. As part of his initiative Secure by Design, Cisa declared in a 2023 advice that developers should guarantee that their apps carried out adequate authentication and authorization checks.
Since RAW has solved the bug, the exposed server no longer returns the user’s data in the browser.
