The 3Fun mobile dating app for “curious couples and singles” showed users precisely where they are, together with personal data, such as birthdates and images, that should be protected by integrated privacy settings.
Geo-location details in the shape of latitude and longitude were highly accurate, indicating the user wherever he was in the application.
The app collects location data from its users in real time and this can be shown to match potential users if they so wish. This detail can also be hidden, but this block just reaches the application level since it still reaches the 3Fun server.
As seen in the following picture, in a GET request, the mobile app received location data:
In a blog post today, Pen Test Partners scientists note that since data filtering is restricted to the mobile app, they can query the server 3Fun for other users ‘ locations.
This way requests revealed 3Fun users throughout the UK. The level of detail is impressive because users can be seen in a house or in a building.
Some three-way lovers were found in the White House, 10 Downing Street and the Supreme Court building.
The app does not encrypt traffic from the application to its server, however, so that this information is spooked easily with software that allows data reception and modification.
Further information gleanable from the 3Fun server includes the date of birth, gender and sexual orientation.
“This data can be used to stalk users in near real-time, expose their private activities and worse,” says Alex Lomas of Pen Test Partners.
However serious this might be, it is more worrying to leak private photos added to a private album. According to the application description, these images are only available for user matches.
However, they are unprotected and anyone with a link can access them and copy them and the path is revealed in the API answers.
“We think there are a whole heap of other vulnerabilities, based on the code in the mobile app and the API, but we can’t verify them.”
3Fun claims more than 1.5 million users, although statistics to support the information could not be found. The app has over 100,000 devices and a total of 9,260 reviews on Android. There are approximately 25,700 ratings on iOS.
On 1 July the developer was informed by Pen Test Partners and a fix was made “quite fast,” says Lomas. The latest version of the Android app will be released on July 21, and the latest version for iOS on July 8.
