A recent security lapse at the dating app Raw has raised serious concerns after exposing users’ personal data and private location information to the public. The breach, discovered by JS, revealed sensitive details such as users’ display names, dates of birth, dating and sexual preferences associated with the Raw app, and even specific location coordinates that could pinpoint users with street-level accuracy.
Raw, a dating app launched in 2023, distinguishes itself by promoting more authentic interactions through daily selfie uploads. While the app’s user base remains undisclosed, the Google Play Store indicates over 500,000 Android downloads. This incident coincides with the announcement of Raw’s new hardware extension, the Raw Ring, a wearable device purported to track partners’ emotions in real-time to detect potential infidelity.
Despite Raw’s claims of end-to-end encryption for user privacy, an analysis by JS revealed that the app was inadvertently exposing user data to anyone with a web browser. The company rectified the issue promptly after being notified by JS, implementing additional security measures to prevent similar incidents in the future.
While Raw insists on the encryption of data in transit and access control for sensitive information, questions remain about the actual security measures in place. The app’s privacy policy and encryption practices are under scrutiny following this breach, prompting concerns about user data protection and transparency.
JS’s investigation into the exposed data uncovered a vulnerability known as an insecure direct object reference (IDOR), enabling unauthorized access to user profiles and location data. This type of bug poses significant risks, allowing malicious actors to exploit the system and access sensitive information on a large scale.
In response to the breach, Raw has addressed the security flaw, ensuring that user data is no longer accessible through the exposed server. However, questions persist about the company’s security practices and commitment to safeguarding user information.
As the investigation continues, Raw faces scrutiny over its handling of user data and the need for more robust security measures to prevent future breaches. The incident serves as a stark reminder of the importance of data protection and the potential risks associated with sharing personal information online.
