Vulnerability in dating application reveals users' personal and location information

Posted date 01/07/2025

The dating app Raw, launched in 2023 and with over 500,000 downloads on Android, suffered a serious data breach that publicly exposed sensitive information about its users. This information included usernames, birth dates, sexual preferences and location data accurate to within a few meters. The leak was discovered by TechCrunch performing simple functional tests on the app, revealing that the data could be easily accessed from a web browser without prior authentication.

Raw is touted as an app that offers more genuine interactions, asking users to upload daily selfies. The company also recently announced a wearable device called “Raw Ring,” designed to track a couple's vital signs and detect potential infidelity using artificial intelligence. The app, despite claiming on its website and in its policies that its services use end-to-end encryption, TechCrunch found no evidence of this security when analyzing the app's network traffic. Instead, it found that data was transmitted without any encryption.

The vulnerability, known as IDOR (insecure direct object reference), is a type of flaw that allows accessing or modifying other users' data without proper authorization. By changing a numeric identifier in the API address, it was possible to view any user's private information.

After being contacted by TechCrunch, the company quickly corrected the problem and claimed to have implemented additional security measures. However, its co-founder confirmed that an external security audit had not been conducted and avoided committing to directly notifying affected users. The company said it will file a report with data protection authorities, but did not respond to questions about possible changes to its privacy policy.