Full Report
The app claims it uses end-to-end encryption, but spilled its users' dating preferences and granular location data to the open web.
Analysis Summary
# Incident Report: Raw Dating App User Data Exposure via IDOR Vulnerability
## Executive Summary
The dating application Raw experienced a critical security lapse where personal data, including precise location coordinates, for potentially hundreds of thousands of users was publicly exposed due to a configuration error. The vulnerability, identified as an Insecure Direct Object Reference (IDOR), allowed any user with basic knowledge of the API structure to access any other user's profile data without authentication. The exposure was remediated immediately upon notification by TechCrunch, though the duration of the compromise is unknown.
## Incident Details
- Discovery Date: Wednesday (prior to the article publication date)
- Incident Date: Unknown (Duration of exposure prior to discovery)
- Affected Organization: Raw dating app
- Sector: Social Networking / Dating App (Technology)
- Geography: Not explicitly stated, serves a global user base accessible via app stores.
## Timeline of Events
### Initial Access
- Date/Time: Discovery occurred on Wednesday. Attack began when the application first published data insecurely via its API.
- Vector: Exploitation of an Insecure Direct Object Reference (IDOR) vulnerability in the exposed API endpoint.
- Details: The API endpoint (`api.raw.app/users/[unique_ID]`) returned sensitive user data without requiring any authentication or authorization checks.
### Lateral Movement
- Not applicable in the traditional sense of network intrusion; this was a direct data access vulnerability across the user database. Attackers could pivot from one user record to the next by iterating through user IDs.
### Data Exfiltration/Impact
- Personally identifiable information (PII) was exposed:
- Display names
- Dates of birth
- Dating and sexual preferences
- Precise user location data (street-level accuracy coordinates)
### Detection & Response
- **Detection:** Discovered by TechCrunch researchers during routine app testing using network traffic analysis on a virtualized device.
- **Response:** Raw fixed the exposed endpoints ("All previously exposed endpoints have been secured") shortly after TechCrunch contacted the company on Wednesday.
## Attack Methodology
- **Initial Access:** Direct inference/access to unsecured API endpoints through a web browser.
- **Persistence:** Not applicable; data was exposed through an architectural flaw.
- **Privilege Escalation:** Not applicable; the flaw bypassed authorization entirely.
- **Defense Evasion:** The public exposure constituted a failure of basic security control rather than evasion of active defenses.
- **Credential Access:** Not explicitly used for this access method.
- **Discovery:** Attackers could easily enumerate user records by sequentially guessing or cycling through 11-digit user identifiers within the API structure.
- **Lateral Movement:** Sequential access to records via ID iteration.
- **Collection:** Profile information, dates of birth, preferences, and location coordinates.
- **Exfiltration:** Direct downloading of data via web browser accessing the unprotected API calls.
- **Impact:** Massive, unauthenticated exposure of highly sensitive, location-based PII.
## Impact Assessment
- **Financial:** Not quantified in the report, but significant potential fines and remediation costs expected.
- **Data Breach:** Exposure of sensitive PII, including display names, DOBs, preferences, and real-time street-level location data for users (500,000+ Android downloads noted).
- **Operational:** The core operational failure was the lack of authentication on a critical data endpoint.
- **Reputational:** Significant damage, especially given the company's counter-narrative claiming "end-to-end encryption" for security.
## Indicators of Compromise
The primary IOCs relate to the system architecture that was discovered:
- **Network Indicators (Defanged):** Access attempts to `api.raw.app/users/` without valid authentication tokens.
- **File Indicators:** Not applicable, as the breach was configuration-based.
- **Behavioral Indicators:** Unauthenticated GET requests returning full user profile JSON/data payloads from the specified API path.
## Response Actions
- **Containment Measures:** Raw secured all previously exposed API endpoints preventing further direct web access to user data.
- **Eradication Steps:** Implied remediation involved implementing proper authentication and authorization checks on the data access layer.
- **Recovery Actions:** The company confirmed internal analysis was underway to "thoroughly analyzing the situation." They committed to submitting a report to data protection authorities.
## Lessons Learned
- **Key Takeaways:** Claims of robust security (e.g., end-to-end encryption) were unsubstantiated by the actual security posture, which suffered from a fundamental IDOR vulnerability. Misrepresentation of capabilities heightens reputational risk when a breach occurs.
- **What could have been done better:** The company failed to perform essential third-party security audits prior to launch, which would likely have caught the IDOR flaw. They also failed to implement basic authentication/authorization checks on user data retrieval endpoints.
## Recommendations
- Immediately conduct a comprehensive, third-party security audit, specifically focusing on API authentication, authorization (checking for IDORs), and data access controls across all services.
- Review and revise public claims regarding encryption and security features to accurately reflect current implementation standards.
- Establish a clear plan for proactive user notification mandated by privacy regulations following any confirmed data exposure.
- Implement security standards aligned with government advisories (e.g., CISA warnings regarding IDORs) into the Software Development Life Cycle (SDLC).