There were three in the bed, and a GET request said…
A mobile sex app used by those looking for a discreet menage-a-trois has ejaculated the real time locations of users – along with dates of birth, sexual preferences, chat data and private pictures – all over the internet, according to a penetration testing company.
3fun, which boasts 1,500,000 users, was described by Pen Test Partners as a “privacy train wreck”. It even exposes users private pictures when privacy settings are on. The company described it as having “the worst security for any dating app we’ve ever seen.”
The key issue: data is only filtered in the mobile app itself, not on the server. “It’s just hidden in the mobile app interface if the privacy flag is set. The filtering is client-side, so the API can still be queried for the position data.”
When it comes to location, it gets worse. As UK-based Pen Test Partners notes in a blog: “Several dating apps including grindr have had user location disclosure issues before, through what is known as ‘trilateration’. This is where one takes advantage of the ‘distance from me’ feature in an app and fools it. By spoofing your GPS position and looking at the distances from the user, we get an exact position. But, 3fun is different. It just ‘leaks’ your position to the mobile app. It’s a whole order of magnitude less secure.”
Testing the app for security issues, the firm found no shortage. It also spotted users apparently in Number 10 Downing Street and the White House.
Pen Test Partners said in a blog: “Here’s the data that is sent to the users mobile app from 3fun systems. It’s made in a GET request like this.” [Illustration below].
The company notified the app makers in early June, getting the response: “Dear Alex, Thanks for your kindly reminding. We will fix the problems as soon as possible. Do you have any suggestion? Regards, The 3Fun Team.”
(The company suggested some fixes and pulling the app offline while they made them).
Users appear to be in the White House and in the Prime Minister’s residence, although, as Pen Test Partners notes, “It’s technically possible to re-write ones position, so it could be a tech savvy user having fun making their position appear as if they are in the seat of power.”
The rest of the location data, down to house level, is likely to be genuine. 3fun says it has updated security as of July 8, adding “we will focus on updating our product to make it safer.”