Full Report
Another rushed app launch and another set of horrific vulnerabilities. Writing secure code is hard, takes time and lots of effort to get right. This is a prime example of what can go wrong. In this case, the author reviewed an app called Cerca briefly to find some bad issues. First, they downloaded the app and opened it in a proxy. The app uses an OTP-based sign-in (code to phone number). When looking at the response for submitting this request, the OTP was simply in the response. Obviously, this means that you can access anyone's account with just a phone number. Yikes. The website had an openapi.json file that described all of the endpoints on the website. The goal was to find a way to enumerate users, get their phone numbers, and compromise all accounts. The endpoint /user/{user_id} returns exactly this. Since these IDs were sequential, they could just brute force all accounts very quickly. The data accessible to them was vast—sexual preferences, passport information, personal messages—all of the good stuff. This is a complete invasion of privacy. The company fixed the vulnerabilities once they were reported, but made no public announcement about it—this is likely to avoid a PR nightmare. Privacy is hard to get correct and requires careful design. Should user be easily identifiable and found with just an ID? How about a phone number? These considerations depend on the app but it's always something to think about.
Analysis Summary
# Vulnerability: Complete Account Takeover and Mass PII Leak in Cerca Dating App
## CVE Details
- **CVE ID**: Not Assigned (N/A)
- **CVSS Score**: 10.0 (Critical) - *Calculated based on unauthorized access to all user accounts and full PII/credential disclosure.*
- **CWE**:
- CWE-604: Use of Client-Side Authentication
- CWE-204: Observable Response Discrepancy (Authentication Bypass)
- CWE-284: Improper Access Control (IDOR)
- CWE-213: Exposure of Sensitive Information Through Sent Data
## Affected Systems
- **Products**: Cerca Dating App
- **Versions**: All versions prior to April 21, 2025.
- **Configurations**: Default installations utilized the `api.cercadating.com` backend.
## Vulnerability Description
Multiple severe security flaws existed in the Cerca application’s backend API and authentication flow:
1. **Authentication Bypass (Broken OTP)**: The API included the One-Time Password (OTP) in the HTTP response body when a login was initiated for a phone number. This allowed any user to intercept the code and log into any account.
2. **Insecure Direct Object Reference (IDOR)**: The `user/{user_id}` endpoint failed to implement proper authorization checks. Since user IDs were sequential (integer-based), an attacker could systematically iterate through all IDs to retrieve full profile data.
3. **Information Exposure**: The API leaked sensitive Personal Identifiable Information (PII) and documentation, including an `openapi.json` file at the `/docs` endpoint, which mapped the entire attack surface.
## Exploitation
- **Status**: PoC available (Authored by researcher Alex Schapiro).
- **Complexity**: Low
- **Attack Vector**: Network
- **Detail**: An attacker could use a directory fuzzer to find the API documentation, write a simple Python script to iterate through user IDs to collect phone numbers, and then trigger the OTP login to take over any specific account.
## Impact
- **Confidentiality**: Total. Access to passport information, private messages, sexual preferences, phone numbers, and home/current locations.
- **Integrity**: High. Ability to modify user matches and profile data.
- **Availability**: Medium. Risk of account lockout or mass data deletion via API.
## Remediation
### Patches
- The vendor reportedly patched the server-side vulnerabilities following a disclosure meeting on February 24, 2025. Users should ensure they are running the latest version of the mobile application available on official app stores.
### Workarounds
- No documented workarounds are available for the legacy vulnerable versions as the flaws were inherent to the backend API design.
## Detection
- **Indicators of Compromise**:
- Unusual volumes of requests to the `/user/` endpoint from a single IP.
- Large numbers of OTP requests generated for multiple phone numbers in a short duration.
- **Detection Methods**: Monitoring API logs for sequential ID scanning (scraping) and checking for the presence of sensitive fields (like OTP codes) in outbound HTTP response bodies.
## References
- **Researcher Blog**: hxxps[://]alexschapiro[.]com/cerca-vulnerability/
- **Hacker News Discussion**: hxxps[://]news[.]ycombinator[.]com/item?id=43964937
- **API Endpoint (Defanged)**: api[.]cercadating[.]com/docs/openapi[.]json