Group dating app exposed 1.5m users’ data in ‘privacy trainwreck’

More than 1.5m users of threesome dating app 3Fun had their data exposed right down to their real-time location, in what security researchers have called “a privacy trainwreck”.

In the description on the Google Play Store, the app promises that “only your matches can see your hot private photos.” This, it turns out, wasn’t true at all.

UK-based Pen Test Partners found that none of the app’s user data was encrypted, leaking the precise location, photos and other personal details of any nearby user.

Ken Munro, founder of Pen Test Partners, said it was “probably the worst security for any dating app we’ve ever seen.” The company’s researchers were easily able to locate 3fun users, with some pin-pointed inside the White House, the Pentagon and at 10 Downing Street (although this could be the work of tech-savvy users spoofing the app’s poor security, it does show just how important data encryption is).

Pen Test Partners contacted 3fun on July 1 and asked the company to solve the security issues, but it took three weeks before a fix was put in place. But while the company might have tightened up security, recent user feedback on the Google Play Store says the app is “90% fake profiles”.

The report on Pen Test Partner’s website explains: “Several dating apps including Grindr have had user location disclosure issues before, through what is known as ‘trilateration’. This is where one takes advantage of the ‘distance from me’ feature in an app and fools it… But, 3fun is different. It just ‘leaks’ your position to the mobile app. It’s a whole order of magnitude less secure.”

The combination of real-time location tracking, easily-accessible photos and personal information (including full names, birthdays and sexual orientation) means 3fun users’ info was publicly-available way beyond the people you match with.

Data security on dating apps is no new issue – in May this year, a security researcher discovered an open database that listed people’s usernames, ages, locations and even IP addresses.

Read Next: Gay dating app Scruff buys Jack’d, promises better security for users

Article by

Tara

Tara Lepore's expertise and writing prowess have been showcased through her contributions to respected publications such as Wired, The Guardian, Vice, and Gizmodo. Her insightful articles within these outlets have provided readers with an in-depth understanding of the intricate connection between sex and technology.Tara's ability to deliver well-researched and thought-provoking content has made her a valuable contributor in the field, capturing the attention of a wide audience and leaving a lasting impact. Her writing style effortlessly combines expert knowledge with a relatable and engaging tone, making complex topics accessible to all.Through her work, Tara Lepore continues to enlighten readers and shape the conversation on the ever-evolving landscape of sex and technology.

Get in touch

You'll Like These

Lelo Enigma Double Sonic stimulates the clit and A-spot (which may not exist for all women)

£84.14 £98.99

MysteryVibe Remote can control three devices at once

Woohoo! SIMS4 Lovestruck expansion pack brings poly characters, in-game dating app and ‘Romantic Dynamics’

Dating appdates (July 2024): Date AI characters in Japan, Grindr on the up, new safety code, and more