A non-password protected Elastic database was discovered, exposing the records of dating app users.
The majority of the users that were exposed appear to be based in America, based on their IP and geolocations.
Security researcher, Jeremiah Fowler who discovered the database noted how multiple dating applications all stored data inside the database. Following further investigation, Fowler was able to identify dating apps available online with the same names as that in the database.
Fowler wrote in a blog post:
“What really struck me as odd was that despite all of them using the same database, they claim to be developed by separate companies or individuals that do not seem to match up with each other.”
Some of the sites including Whois registration appeared to use a fake address and phone number. Other sites on the database are registered private and the only way to contact them is via their app.
Fowler noted that he was easily able to obtain the identity of users, stating how the “dating applications logged and stored the user’s IP address, age, location, and user names”. Fowler added that with the majority of people, their online persona or user name serves as a unique cyber fingerprint.
“Nearly each unique username I checked appeared on multiple dating sites, forums, and other public places. The IP and geolocation stored in the database confirmed the location the user put in their other profiles using the same username or login ID,” Fowler said.
Fowler stressed how the only contact information available was fake, and the other way to contact the developer was to download an unknown app – which in turn could pose a potential security risk.
“I am not saying or implying that these applications or the developers behind them have any nefarious intent or functions, but any developer that goes to such lengths to hide their identity or contact details raises my suspicions.”
“What concerns me most is that the virtually anonymous app developers could have full access to user’s phones, data, and other potentially sensitive information.
“It is up to users to educate themselves about sharing their data and understand who they are giving that data to. This is another wake-up call for anyone who shares their private information in exchange for some kind of service.”
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
GDPR Summit Series is a global series of GDPR events which will help marketers to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. Further information and conference details are available at http://www.gdprsummit.london/
comments powered by Disqus