Security experts have uncovered major new vulnerabilities in a group hook-up app, exposing private pictures, real-time location and highly sensitive personal details.
Security consultancy Pen Test Partners branded the 3fun app a “privacy train wreck,” claiming the privacy issues it found could end countless careers or relationships.
The app leaked location data right down to the house and building level. Some of the exposed users’ data even put their location on Downing Street and in the White House, although the researchers hypothesized that this could simply be tech-savvy users manually re-writing their position.
“Several dating apps including grindr have had user location disclosure issues before, through what is known as ‘trilateration.’ This is where one takes advantage of the ‘distance from me’ feature in an app and fools it. By spoofing your GPS position and looking at the distances from the user, we get an exact position,” explained Pen Test Partners’ Alex Lomas.
“But, 3fun is different. It just ‘leaks’ your position to the mobile app. It’s a whole order of magnitude less secure.”
Although users can restrict the sending of latitude and longitude information, this is only done client-side, which means the data is still available on the server and can be queried via API, he added.
Also exposed in the privacy snafu were birth dates, private photos – even with privacy settings applied – sexual preference, gender and relationship status.
It goes without saying that such information could be a treasure trove for potential blackmailers. It recalls the furore surrounding adult infidelity site ashley madison, where an estimated 37 million customer records were stolen and subsequently used to extort money from victims.
Pen Test Partners contacted 3fun, which fortunately “took action fairly quickly and resolved the problem.” However, the fact that an estimated 1.5 million users may have been exposed on a platform where privacy is crucial will be of great concern.