More than 1.5m users of threesome dating app 3Fun had their data exposed right down to their real-time location, in what security researchers have called “a privacy trainwreck”.
In the description on the Google Play Store, the app promises that “only your matches can see your hot private photos.” This, it turns out, wasn’t true at all.
UK-based Pen Test Partners found that none of the app’s user data was encrypted, leaking the precise location, photos and other personal details of any nearby user.
Ken Munro, founder of Pen Test Partners, said it was “probably the worst security for any dating app we’ve ever seen.” The company’s researchers were easily able to locate 3fun users, with some pin-pointed inside the White House, the Pentagon and at 10 Downing Street (although this could be the work of tech-savvy users spoofing the app’s poor security, it does show just how important data encryption is).
Pen Test Partners contacted 3fun on July 1 and asked the company to solve the security issues, but it took three weeks before a fix was put in place. But while the company might have tightened up security, recent user feedback on the Google Play Store says the app is “90% fake profiles”.
The report on Pen Test Partner’s website explains: “Several dating apps including Grindr have had user location disclosure issues before, through what is known as ‘trilateration’. This is where one takes advantage of the ‘distance from me’ feature in an app and fools it… But, 3fun is different. It just ‘leaks’ your position to the mobile app. It’s a whole order of magnitude less secure.”
The combination of real-time location tracking, easily-accessible photos and personal information (including full names, birthdays and sexual orientation) means 3fun users’ info was publicly-available way beyond the people you match with.
Data security on dating apps is no new issue – in May this year, a security researcher discovered an open database that listed people’s usernames, ages, locations and even IP addresses.