An appointment app that this week had announced a new device to wear as a ring, publicly exposed user data including granular and personal data, and the approximate location.
The app, RAW, says that it is dedicated to promoting “real love and without filters” with its unique interface, which looks like Bereal (Use the front and rear cameras of your phone) but for appointments. RAW also recently announced a new device, the Anillo rawwhich is supposed to allow users to track the location of their lovers to make sure they are not deceiving them (I could not create problematic situations, right? Unfortunately, it seems that RAW promoted something else, and also “without filters”: user data.
The filtration of information that committed users
TechCrunch informs that For lack of basic digital security protections, RAW accidentally left the personal information of users open to public inspection. In fact, before this week anyone who used a web browser could have had detailed access to the details of the information of the app users, such as the date of birth, name, sexual preferences and quite specific location data “at the level of the street where they were.”
Techcrunch says that he discovered security deficiencies during a brief test of the company’s app. They downloaded RAW on a virtualized Android device and then the people of TC used a network monitoring tool to observe data transmission from and to the app. The analysis showed that personal data were not protected with any type of authentication barrier. TC says he discovered the problem a few minutes after using the app. In addition, TC points out that although RAW claims to protect users with end -to -end encrypted, they found no evidence that there was E2EE. The detailed security problem is this:
When we downloaded the app, we found that it took the user’s profile information directly from the company’s servants, but that the server did not protect the data that returned with any type of authentication. In practice that meant that anyone could access the private information of other users using a web browser and visiting the web address of the exposed server – api.raw.app/users/ followed by a number of 11 digits that corresponded to another user of the app. When changing the digits to the 11 -digit identifier of any other user, the private information of the user’s profile appeared, including the data of their location. This type of vulnerability is known as direct identifier to unpotected objects, IDOR, which could allow anyone to access or modify the data on a server because there are no access controls and lack of adequate safety checks of the user that access the data.
What Raw said
Gizmodo contacted RAW for more information. According to statements to TechCrunch, security problems have been solved on Wednesday. “All extremes that were exposed before were secured and implemented additional safeguards to prevent similar problems in the future,” he told the Middle Marina Anderson, co -founder of the RAW appointment app.
It is not uncommon for companies to protect user data poorly. Although it sounds strange, security is not a particularly important priority in the software industry. You can consume time, be expensive, and make more other production steps so many companies They are not even taken The discomfort. However, a appointment app is something that is dedicated to gathering and managing the most sensitive and intimate data of the users and it is obvious that it is convenient to devote some more time to create barriers to protect that data.
This article has been translated from Gizmoda US by Lucas Handley. Here you can find the original version.
