TechCrunch reports that Raw a dating app touting more authentic interactions that has amassed over 500,000 Android installations since its launch two years ago has been impacted by an insecure direct object reference issue that resulted in the exposure of sensitive user information.
Aside from leaking individuals' display names, birthdates, and sexual preferences, Raw also bared location details, some of which had coordinates, according to TechCrunch researchers, who were able to discover the IDOR vulnerability and the data exposure within minutes of creating a new user account on the app installed on a virtualized Android device. Researchers said that the security flaw could be leveraged by anyone to obtain other users' data just by inputting a unique 11-digit code on the web address of the open "api.raw.app/users/" server. Meanwhile, Raw noted that it has already addressed the security issue. "All previously exposed endpoints have been secured, and we've implemented additional safeguards to prevent similar issues in the future," said Raw co-founder Marina Anderson, who noted that a third-party audit is yet to be conducted by the firm.
Aside from leaking individuals' display names, birthdates, and sexual preferences, Raw also bared location details, some of which had coordinates, according to TechCrunch researchers, who were able to discover the IDOR vulnerability and the data exposure within minutes of creating a new user account on the app installed on a virtualized Android device. Researchers said that the security flaw could be leveraged by anyone to obtain other users' data just by inputting a unique 11-digit code on the web address of the open "api.raw.app/users/" server. Meanwhile, Raw noted that it has already addressed the security issue. "All previously exposed endpoints have been secured, and we've implemented additional safeguards to prevent similar issues in the future," said Raw co-founder Marina Anderson, who noted that a third-party audit is yet to be conducted by the firm.
