Topics
late
AI
Amazon
Image Credits:Raw
Apps
Biotech & Health
clime
Image Credits:Raw
Cloud Computing
Commerce
Crypto
initiative
EVs
Fintech
Fundraising
widget
Gaming
Government & Policy
Hardware
Layoffs
Media & Entertainment
Meta
Microsoft
Privacy
Robotics
Security
Social
quad
Startups
TikTok
Transportation
speculation
More from TechCrunch
issue
Startup Battlefield
StrictlyVC
newssheet
Podcasts
TV
Partner Content
TechCrunch Brand Studio
Crunchboard
Contact Us
A security oversight at see app Raw publicly expose the personal data point and private localisation data of its users , TechCrunch has notice .
The exposed data included users ’ showing names , dates of birth , date stamp and sexual preferences assort with the Raw app , as well as users ’ locations . Some of the positioning data included co-ordinate that were specific enough to locate Raw app users with street - level accuracy .
Raw , which launched in 2023 , isa dating appthat claims to offer more genuine interactions with others in part by asking users to upload daily selfie photos . The company does not disclose how many user it has , but its app list on the Google Play Store mention more than 500,000 Android downloads to date .
word of the protection relapse fare in the same week that the startup announced a ironware extension of its date stamp app , the Raw Ring , anunreleased wearable devicethat it claims will allow app users to track their partner ’s heart pace and other sensor datum to obtain AI - engender insights , ostensibly to observe infidelity .
Notwithstanding themoral and ethical issues of tracking romantic partnersandthe risks of emotional surveillance , Raw claim on its web site and in its concealment insurance that its app , and its unreleased machine , both useend - to - end encryption , a security feature that prevents anyone other than the substance abuser — including the ship’s company — from accessing the data .
When we hear the app this workweek , which included an depth psychology of the app ’s internet traffic , TechCrunch retrieve no evidence that the app employ death - to - end encryption . Instead , we obtain that the app was in public spilling data about its users to anyone with a web internet browser .
Raw secure the data exposure on Wednesday , concisely after TechCrunch contacted the company with details of the bug .
“ All previously bring out endpoint have been secured , and we ’ve implemented additional safe-conduct to foreclose similar issue in the future , ” Marina Anderson , the carbon monoxide gas - founder of stark naked dating app , assure TechCrunch by e-mail .
When involve by TechCrunch , Anderson confirmed that the company had not performed a third - company security audit of its app , tally that its “ centering remains on build a eminent - tone product and engaging meaningfully with our grow community of interests . ”
Anderson would not give to proactively notifying affected users that their selective information was exposed , but said the company would “ submit a detailed study to the relevant data protective cover authorities under applicable regularization . ”
It ’s not immediately have sex how long the app was publicly splatter its users ’ data . Anderson said that the company was still investigating the incident .
Regarding its title that the app uses close - to - end encryption , Anderson said Raw “ uses encryption in transit and enforces access controls for raw data within our infrastructure . Further steps will be clear after thoroughly psychoanalyze the berth . ”
Anderson would not say , when expect , whether the company contrive to line up its privacy insurance policy , and Anderson did not respond to a succeed - up e-mail from TechCrunch .
How we found the exposed data
TechCrunch discovered the bug on Wednesday during a abbreviated exam of the app . As part of our test , we instal the Raw dating app on a virtualized Android machine , which set aside us to use the app without having to leave any real - world data , such as our strong-arm location .
We created a new substance abuser account with dummy data , such as a name and date of nascency , and configure our virtual gimmick ’s location to appear as though we were at a museum in Mountain View , California . When the app call for our virtual equipment ’s emplacement , we reserve the app access to our accurate positioning down to a few metre .
We used a meshwork traffic analysis putz to supervise and visit the information flowing in and out of the unsanded app , which allowed us to understand how the app work and what kinds of data the app was upload about its users .
TechCrunch reveal the information photo within a few arcminute of using the unsanded app . When we first loaded the app , we found that it was pull out the user ’s profile entropy straight from the fellowship ’s servers , but that the host was not protecting the return data with any authentication .
In praxis , that meant anyone could access any other substance abuser ’s private information by using a web web browser to visit the web address of the exposed waiter — api.raw.app/users/followed by a unique 11 - finger number agree to another app user . Changing the digits to correspond with any other user ’s 11 - finger’s breadth identifier returned private information from that exploiter ’s visibility , include their fix data point .
This kind of exposure is known as an unsafe lineal object reference , or IDOR , a type of bug that can permit someone to get at or modify data on someone else ’s host because of a lack of proper security check on the user accessing the data .
Aswe’ve explained before , IDOR bugs are cognate to having a winder to a private postbox , for example , but that key can also unlock every other letter box on that same street . As such , IDOR bugs can be exploited with ease and in some case itemise , allow access to record book after record of user data .
U.S. cybersecurity agency CISA has long warn of the endangerment that IDOR bugs present , including the power to get at typically sensitive data “ at scale . ” As part of itsSecure by Designinitiative , CISA saidin a 2023 advisorythat developer should assure their apps perform proper authentication and authorization assay .
Since Raw fixed the bug , the expose server no longer returns user data in the browser app .
