Dating App Raw Exposed Users’ Location and Personal Data Due to Security Flaws

The dating app Raw, known for promoting “real and unfiltered love” through a unique interface using both front and back phone cameras, recently suffered a significant security breach exposing users’ personal data. This breach included highly sensitive information such as users’ approximate street-level locations, dates of birth, display names, and sexual preferences.

TechCrunch discovered the vulnerability during a routine test by downloading the app on a virtual Android device and monitoring the network traffic. They found that Raw’s servers returned user profile information without any authentication barriers, meaning anyone with a web browser could access private data simply by changing an 11-digit user ID in the URL.

This type of security flaw is known as an insecure direct object reference (IDOR), which allows unauthorized access to data due to missing or inadequate security checks. Despite Raw’s claims of end-to-end encryption, no evidence of such protection was found, further exacerbating the risk to user privacy.

Following the public exposure of the issue, Raw’s co-founder Marina Anderson confirmed that the security loopholes have been patched and additional safeguards implemented to prevent future incidents. However, this event underscores a broader industry challenge: many companies, especially in the software sector, often deprioritize security due to cost, complexity, or development speed concerns.

For dating apps, which inherently handle users’ most intimate and sensitive information, robust security measures are not just best practices but essential to protect user trust and prevent potentially harmful privacy breaches. The Raw incident serves as a cautionary tale for developers and businesses to rigorously test and secure their data infrastructures.

Key Lessons from Raw’s Data Exposure

• Implement strict authentication and authorization checks on all API endpoints to prevent unauthorized data access.
• Ensure end-to-end encryption is correctly implemented and verifiable to protect data in transit and at rest.
• Conduct regular security audits and penetration testing to identify and remediate vulnerabilities proactively.
• Prioritize user privacy and data protection as core components of app design, especially for platforms handling intimate personal information.

In conclusion, the Raw dating app’s accidental exposure of user data highlights the critical importance of cybersecurity in the digital dating landscape. As apps increasingly integrate novel features and hardware, security must evolve in tandem to safeguard users’ trust and privacy.