Blog: Internet Of Things

Group sex app leaks locations, pics and personal details. Identifies users in White House and Supreme Court

Alex Lomas 08 Aug 2019

We’ve seen some pretty poor security in dating apps over recent years; breaches of personal data, leaking users locations and more. But this one really takes the biscuit: probably the worst security for any dating app we’ve ever seen

And it’s used for arranging threesomes. It’s 3fun.

It exposes the near real time location of any user; at work, at home, on the move, wherever.

It exposes users dates of birth, sexual preferences and other data.

3fun emailed me to grumble (because that’s the thing you should be upset about…).

It exposes users private pictures, even if privacy is set.

This is a privacy train wreck: how many relationships or careers could be ended through this data being exposed?

3fun claims 1,500,000 users, quoting ‘top cities’ as New York, Los Angeles, Chicago, Houston, Phoenix, San Antonio, San Diego, Philadelphia, Dallas, San Jose, San Francisco, Las Vegas & Washington, D. C.

Several dating apps including grindr have had user location disclosure issues before, through what is known as ‘trilateration’. This is where one takes advantage of the ‘distance from me’ feature in an app and fools it. By spoofing your GPS position and looking at the distances from the user, we get an exact position.

But, 3fun is different. It just ‘leaks’ your position to the mobile app. It’s a whole order of magnitude less secure.

Here’s the data that is sent to the users mobile app from 3fun systems. It’s made in a GET request like this:

GET /match_users?from=0&latitude=xxxxxx&longitude=+yyyyyy&match_gender=63&match_max_age=61&match_min_age=30&offset=40&search_distance=100 HTTP/1.1

You’ll see the latitude and longitude of the user is disclosed. No need for trilateration.

Now, the user can restrict the sending of the lat/long so as not to give away their position.

BUT, that data is only filtered in the mobile app itself, not on the server. It’s just hidden in the mobile app interface if the privacy flag is set. The filtering is client-side, so the API can still be queried for the position data. FFS!

Here are some users in the UK:

And plenty in London, going right down to house and building level:

And a good few users in Washington DC:

Including one in the White House, although it’s technically possible to re-write ones position, so it could be a tech savvy user having fun making their position appear as if they are in the seat of power:

There are definitely some ‘special relationships’ going on in seats of power: here’s a user in Number 10 Downing Street in London:

And here’s a user at the US Supreme Court:

See the 3rd line down in the response? Yes, that’s the users birthday disclosed to other parties. That will make it fairly easy to work out the exact identity of the user.

This data can be used to stalk users in near real-time, expose their private activities and worse.

Then it got really worrying. Private photos are exposed too, even when privacy settings were in place. The URIs are disclosed in API responses:

e.g. https://s3.amazonaws.com/3fun/019/user-1436xxx/5858xxx-big.jpg – our redaction:

We’ve pixelated the image to avoid disclosing the identity of the user.

We think there are a whole heap of other vulnerabilities, based on the code in the mobile app and the API, but we can’t verify them.

One interesting side effect was that we could query user gender and work out the ratio (for example) of straight men to straight women.

It came up as 4 to 1. Four straight men for every straight woman. Sounds a bit ‘Ashley Madison’ doesn’t it…

Any sexual preference and relationship status could be queried, should you wish.

Disclosure

We contacted 3fun about this on 1st July and asked them to fix the security flaws, as personal data was exposed.

They replied:

Dear Alex, Thanks for your kindly reminding. We will fix the problems as soon as possible. Do you have any suggestion? Regards, The 3Fun Team

The text was a little concerning: we hope it’s just poor use of English rather than us ‘reminding’ them of a security flaw that they already knew about!

They want our advice for fixing the issues? Unusual, but we gave them some free advice anyway as we’re nice. Including maybe taking the app down urgently whilst they fix stuff?

3fun took action fairly quickly and resolved the problem, but it’s a real shame that so much very personal data was exposed for so long.

Conclusion

The trilateration and user exposure issues with grindr and other apps are bad. This is a whole lot worse.

It’s easy to track users in near real time, uncovering very personal information and photos.