Dating app Raw exposed users location data and personal information TechCrunch
p
Latest
pp
AI
pp
Amazon
pp
Apps
pp
Biotech Health
pp
Climate
pp
Cloud Computing
pp
Commerce
pp
Crypto
pp
Enterprise
pp
EVs
pp
Fintech
pp
Fundraising
pp
Gadgets
pp
Gaming
pp
Google
pp
Government Policy
pp
Hardware
pp
Instagram
pp
Layoffs
pp
Media Entertainment
pp
Meta
pp
Microsoft
pp
Privacy
pp
Robotics
pp
Security
pp
Social
pp
Space
pp
Startups
pp
TikTok
pp
Transportation
pp
Venture
pp
Events
pp
Startup Battlefield
pp
StrictlyVC
pp
Newsletters
pp
Podcasts
pp
Videos
pp
Partner Content
pp
TechCrunch Brand Studio
pp
Crunchboard
pp
Contact Us
ppA security lapse at dating app Raw publicly exposed the personal data and private location data of its users TechCrunch has foundppThe exposed data included users display names dates of birth dating and sexual preferences associated with the Raw app as well as users locations Some of the location data included coordinates that were specific enough to locate Raw app users with streetlevel accuracyppRaw which launched in 2023 is a dating app that claims to offer more genuine interactions with others in part by asking users to upload daily selfie photos The company does not disclose how many users it has but its app listing on the Google Play Store notes more than 500000 Android downloads to dateppNews of the security lapse comes in the same week that the startup announced a hardware extension of its dating app the Raw Ring an unreleased wearable device that it claims will allow app users to track their partners heart rate and other sensor data to receive AIgenerated insights ostensibly to detect infidelityppNotwithstanding the moral and ethical issues of tracking romantic partners and the risks of emotional surveillance Raw claims on its website and in its privacy policy that its app and its unreleased device both use endtoend encryption a security feature that prevents anyone other than the user including the company from accessing the datappWhen we tried the app this week which included an analysis of the apps network traffic TechCrunch found no evidence that the app uses endtoend encryption Instead we found that the app was publicly spilling data about its users to anyone with a web browserppRaw fixed the data exposure on Wednesday shortly after TechCrunch contacted the company with details of the bugppAll previously exposed endpoints have been secured and weve implemented additional safeguards to prevent similar issues in the future Marina Anderson the cofounder of Raw dating app told TechCrunch by email ppWhen asked by TechCrunch Anderson confirmed that the company had not performed a thirdparty security audit of its app adding that its focus remains on building a highquality product and engaging meaningfully with our growing communityppAnderson would not commit to proactively notifying affected users that their information was exposed but said the company would submit a detailed report to the relevant data protection authorities under applicable regulationsppIts not immediately known how long the app was publicly spilling its users data Anderson said that the company was still investigating the incident ppRegarding its claim that the app uses endtoend encryption Anderson said Raw uses encryption in transit and enforces access controls for sensitive data within our infrastructure Further steps will be clear after thoroughly analyzing the situation ppAnderson would not say when asked whether the company plans to adjust its privacy policy and Anderson did not respond to a followup email from TechCrunchppTechCrunch discovered the bug on Wednesday during a brief test of the app As part of our test we installed the Raw dating app on a virtualized Android device which allows us to use the app without having to provide any realworld data such as our physical locationppWe created a new user account with dummy data such as a name and date of birth and configured our virtual devices location to appear as though we were at a museum in Mountain View California When the app requested our virtual devices location we allowed the app access to our precise location down to a few metersppWe used a network traffic analysis tool to monitor and inspect the data flowing in and out of the Raw app which allowed us to understand how the app works and what kinds of data the app was uploading about its users ppTechCrunch discovered the data exposure within a few minutes of using the Raw app When we first loaded the app we found that it was pulling the users profile information directly from the companys servers but that the server was not protecting the returned data with any authenticationppIn practice that meant anyone could access any other users private information by using a web browser to visit the web address of the exposed server apirawappusers followed by a unique 11digit number corresponding to another app user Changing the digits to correspond with any other users 11digit identifier returned private information from that users profile including their location datappThis kind of vulnerability is known as an insecure direct object reference or IDOR a type of bug that can allow someone to access or modify data on someone elses server because of a lack of proper security checks on the user accessing the datappAs weve explained before IDOR bugs are akin to having a key to a private mailbox for example but that key can also unlock every other mailbox on that same street As such IDOR bugs can be exploited with ease and in some cases enumerated allowing access to record after record of user datappUS cybersecurity agency CISA has long warned of the risks that IDOR bugs present including the ability to access typically sensitive data at scale As part of its Secure by Design initiative CISA said in a 2023 advisory that developers should ensure their apps perform proper authentication and authorization checksppSince Raw fixed the bug the exposed server no longer returns user data in the browser ppTopicspp
Security Editor
ppExperts from OpenAI Anthropic Cohere deliver exclusive insights across a mustattend industry event that you can attend for just 292pp Meta to start selling its RayBan smart glasses in India from May 19
pp Anthropic cofounder Jared Kaplan is coming to TechCrunch Sessions AI
pp Improvements in reasoning AI models may slow down soon analysis finds
pp AllTrails debuts 80year membership that includes AIpowered smart routes
pp Microsoft Build 2025 What to expect from Azure to Copilot upgrades
pp Teslas robotaxi plans have the attention of federal investigators
pp Slate Auto crosses 100000 refundable reservations in two weeks
pp 2025 TechCrunch Media LLCp
Latest
pp
AI
pp
Amazon
pp
Apps
pp
Biotech Health
pp
Climate
pp
Cloud Computing
pp
Commerce
pp
Crypto
pp
Enterprise
pp
EVs
pp
Fintech
pp
Fundraising
pp
Gadgets
pp
Gaming
pp
pp
Government Policy
pp
Hardware
pp
pp
Layoffs
pp
Media Entertainment
pp
Meta
pp
Microsoft
pp
Privacy
pp
Robotics
pp
Security
pp
Social
pp
Space
pp
Startups
pp
TikTok
pp
Transportation
pp
Venture
pp
Events
pp
Startup Battlefield
pp
StrictlyVC
pp
Newsletters
pp
Podcasts
pp
Videos
pp
Partner Content
pp
TechCrunch Brand Studio
pp
Crunchboard
pp
Contact Us
ppA security lapse at dating app Raw publicly exposed the personal data and private location data of its users TechCrunch has foundppThe exposed data included users display names dates of birth dating and sexual preferences associated with the Raw app as well as users locations Some of the location data included coordinates that were specific enough to locate Raw app users with streetlevel accuracyppRaw which launched in 2023 is a dating app that claims to offer more genuine interactions with others in part by asking users to upload daily selfie photos The company does not disclose how many users it has but its app listing on the Google Play Store notes more than 500000 Android downloads to dateppNews of the security lapse comes in the same week that the startup announced a hardware extension of its dating app the Raw Ring an unreleased wearable device that it claims will allow app users to track their partners heart rate and other sensor data to receive AIgenerated insights ostensibly to detect infidelityppNotwithstanding the moral and ethical issues of tracking romantic partners and the risks of emotional surveillance Raw claims on its website and in its privacy policy that its app and its unreleased device both use endtoend encryption a security feature that prevents anyone other than the user including the company from accessing the datappWhen we tried the app this week which included an analysis of the apps network traffic TechCrunch found no evidence that the app uses endtoend encryption Instead we found that the app was publicly spilling data about its users to anyone with a web browserppRaw fixed the data exposure on Wednesday shortly after TechCrunch contacted the company with details of the bugppAll previously exposed endpoints have been secured and weve implemented additional safeguards to prevent similar issues in the future Marina Anderson the cofounder of Raw dating app told TechCrunch by email ppWhen asked by TechCrunch Anderson confirmed that the company had not performed a thirdparty security audit of its app adding that its focus remains on building a highquality product and engaging meaningfully with our growing communityppAnderson would not commit to proactively notifying affected users that their information was exposed but said the company would submit a detailed report to the relevant data protection authorities under applicable regulationsppIts not immediately known how long the app was publicly spilling its users data Anderson said that the company was still investigating the incident ppRegarding its claim that the app uses endtoend encryption Anderson said Raw uses encryption in transit and enforces access controls for sensitive data within our infrastructure Further steps will be clear after thoroughly analyzing the situation ppAnderson would not say when asked whether the company plans to adjust its privacy policy and Anderson did not respond to a followup email from TechCrunchppTechCrunch discovered the bug on Wednesday during a brief test of the app As part of our test we installed the Raw dating app on a virtualized Android device which allows us to use the app without having to provide any realworld data such as our physical locationppWe created a new user account with dummy data such as a name and date of birth and configured our virtual devices location to appear as though we were at a museum in Mountain View California When the app requested our virtual devices location we allowed the app access to our precise location down to a few metersppWe used a network traffic analysis tool to monitor and inspect the data flowing in and out of the Raw app which allowed us to understand how the app works and what kinds of data the app was uploading about its users ppTechCrunch discovered the data exposure within a few minutes of using the Raw app When we first loaded the app we found that it was pulling the users profile information directly from the companys servers but that the server was not protecting the returned data with any authenticationppIn practice that meant anyone could access any other users private information by using a web browser to visit the web address of the exposed server apirawappusers followed by a unique 11digit number corresponding to another app user Changing the digits to correspond with any other users 11digit identifier returned private information from that users profile including their location datappThis kind of vulnerability is known as an insecure direct object reference or IDOR a type of bug that can allow someone to access or modify data on someone elses server because of a lack of proper security checks on the user accessing the datappAs weve explained before IDOR bugs are akin to having a key to a private mailbox for example but that key can also unlock every other mailbox on that same street As such IDOR bugs can be exploited with ease and in some cases enumerated allowing access to record after record of user datappUS cybersecurity agency CISA has long warned of the risks that IDOR bugs present including the ability to access typically sensitive data at scale As part of its Secure by Design initiative CISA said in a 2023 advisory that developers should ensure their apps perform proper authentication and authorization checksppSince Raw fixed the bug the exposed server no longer returns user data in the browser ppTopicspp
Security Editor
ppExperts from OpenAI Anthropic Cohere deliver exclusive insights across a mustattend industry event that you can attend for just 292pp Meta to start selling its RayBan smart glasses in India from May 19
pp Anthropic cofounder Jared Kaplan is coming to TechCrunch Sessions AI
pp Improvements in reasoning AI models may slow down soon analysis finds
pp AllTrails debuts 80year membership that includes AIpowered smart routes
pp Microsoft Build 2025 What to expect from Azure to Copilot upgrades
pp Teslas robotaxi plans have the attention of federal investigators
pp Slate Auto crosses 100000 refundable reservations in two weeks
pp 2025 TechCrunch Media LLCp
