A Major Breach at Dating App Raw

In a startling revelation, the dating app Raw has suffered a significant security lapse that has left the personal and geographical data of its users exposed to the public. TechCrunch reports the breach, which includes critical information such as users’ display names, birth dates, dating preferences, and precise location coordinates—sometimes exposing them down to street level.

What Is Raw? A New Contender in the Dating Scene

Launched in 2023, Raw has positioned itself as a more authentic dating platform, encouraging user engagement through daily selfie uploads. Although the app doesn't disclose user numbers, its Android version has already garnered over 500,000 downloads on the Google Play Store.

Timing Is Everything: The Raw Ring and Security Concerns

Shockingly, this data breach comes just as Raw announced a new hardware extension—a wearable device called the Raw Ring. This gadget aims to monitor partners' heart rates and other metrics to offer AI-driven insights, reportedly to help detect infidelity. However, ethical implications around emotional surveillance cast doubt on the app's intentions.

The App’s Security Claims Versus Reality

Despite Raw's assurances of end-to-end encryption in its privacy policy, TechCrunch's tests reveal a troubling reality. The app appears to be leaking sensitive user data, with no evidence of the promised encryption in use. TechCrunch discovered that anyone with a web browser could access users' private information directly from Raw's unprotected servers.

Response and Accountability: What Comes Next?

Once informed of the breach, Raw quickly fixed the issue, claiming all exposed data endpoints have been secured and promising additional protective measures. Co-founder Marina Anderson stated that the company has yet to conduct a third-party security audit and would not confirm if affected users would be notified. Instead, they will submit a report to relevant authorities as required by law.

The Mechanics of the Breach: An In-Depth Look

The vulnerability stemmed from a type of bug known as insecure direct object reference (IDOR). TechCrunch's analysis demonstrated how the app pulled user profile information from Raw's servers without appropriate authentication, allowing access to sensitive data simply by modifying a user's unique ID number.

A Call to Action for Developers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has long warned about IDOR vulnerabilities. Their Secure By Design initiative emphasizes the importance of implementing robust authentication checks to prevent such security mishaps. With tech users increasingly vulnerable, the spotlight is on developers to prioritize user privacy and security.

Conclusion: Trust in Online Dating Apps?

As Raw moves forward from this alarming breach, questions remain about user safety and trust on online dating platforms. In an era where personal data security is paramount, incidents like these serve as critical reminders for consumers to remain vigilant about the apps they trust with their intimacy.