Dating App Raw Leaks Users’ Location Data and Personal Information: What You Need to Know

A recent security breach at the dating app Raw has raised significant concerns regarding user privacy and data protection. According to a report by TechCrunch, sensitive information, including personal details and precise location data of users, was publicly exposed due to a vulnerability within the app.

What Data Was Exposed in the Raw App Breach?

The exposed information comprised various sensitive details, such as:

• Users’ display names
• Dates of birth
• Dating and sexual preferences
• Exact location data with street-level accuracy

About Raw Dating App

Launched in 2023, Raw aims to foster more authentic connections by requiring users to upload daily selfies. While the app’s specific user count remains undisclosed, it has surpassed 500,000 downloads on the Google Play Store.

New Features and Controversies

In the same week as the security incident, Raw announced its upcoming hardware, the Raw Ring. This wearable device is designed to monitor partners’ heart rates and other biometric data, providing AI-driven insights that could potentially flag infidelity. However, this raises ethical questions regarding emotional surveillance in relationships.

Security Claims and Reality

Despite claims on its website regarding the use of end-to-end encryption for data protection, TechCrunch’s investigations revealed otherwise. The analysis indicated that the app was leaking user data without any protective measures.

Response from Raw’s Co-founder

Marina Anderson, co-founder of Raw, stated that the data exposure was addressed promptly after TechCrunch brought the issue to their attention. She mentioned:

• “All previously exposed endpoints have been secured.”
• “Additional safeguards have been implemented to prevent similar issues in the future.”

However, when questioned about a third-party security audit, Anderson confirmed that none had been conducted, indicating a focus on product development over security assessments.

Investigation and Future Steps

The duration of the data exposure incident remains unclear, as Anderson stated the company is still investigating the breach. Regarding the app’s encryption practices, she noted:

“Raw uses encryption in transit and enforces access controls for sensitive data.”

Understanding the Vulnerability

TechCrunch’s discovery of the data exposure was facilitated by a network traffic analysis during a test of the Raw app. The app’s server lacked proper authentication, enabling anyone with a web browser to retrieve private information simply by manipulating URLs.

Implications of Insecure Direct Object References (IDOR)

This vulnerability, known as insecure direct object reference (IDOR), allows unauthorized access to sensitive data due to inadequate security checks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about the risks associated with IDOR vulnerabilities, urging developers to implement robust authentication measures.

Conclusion

Since addressing the issue, Raw has ensured that the exposed server no longer discloses user data. However, the incident highlights the critical importance of data security in dating apps. For more information on securing personal data online, visit CISA’s official website.