A dating app for HIV-positive people that was leaking sensitive user data apparently threatened to infect the admin for a site that planned to write about it.
What the dating app, Hzone, threatened:
Why do you want to do this? What's your purpose? We are just a business for HIV people. If you want money from us, I believe you will be disappointed. And, I believe your illegal and stupid behavior will be notified by our HIV users and you and your concerns will be revenged by all of us. I suppose you and your family members don't want to get HIV from us? If you do, go ahead.
Well, that’s a first, the admin for Databreaches.net – “Dissent” – told Salted Hash’s Steve Ragan over at security publication CSO.
In an email to Ragan, Dissent said that she couldn’t recall any response that “even comes close to this level of insanity.”
Hzone, launched in March 2015, is a dating app for HIV singles that allows users to Tinderishly swipe profiles right or left.
It’s rated four out of five stars on its partner site, HIV Positive Dating, a support and dating group for people with sexually transmitted diseases.
According to CSO, Hzone representatives claim that the app has more than 4900 registered users.
The leakage was brought to light by Chris Vickery.
Given that it has to do with a MongoDB database that houses Hzone’s data – and given that Chris Vickery is the name of the help desk guy by day/security researcher by night who identified that the MongoDB-propelled MacKeeper is failing to keep 13 million Macs safe – I’m going to hazard a guess that this is one and the same MongoDB poker and have reached out to him to confirm that.
At any rate, Vickery discovered that sometime before 29 November, the MongoDB database had been exposed to the internet and was leaking data, with 5027 accounts (it apparently picked up 100 accounts over the span of a week of leakage) fully available to anyone who knew how to discover public-facing MongoDB installations.
Vickery’s efforts to responsibly disclose the leakage were met with silence on the part of a nonresponsive Hzone, so he looked to the DataBreaches.net blog for help.
Five days after repeated notifications from Vickery and DataBreaches.net’s Dissent, Hzone finally stirred itself to respond with the bizarre message above.
In all that time, sensitive data was up for grabs. That included users’ date of birth, religion, relationship status, country, email address, ethnicity, height, last login IP address, username, orientation, number of children, and password hash.
Dissent noted that users can also enter their nicknames, share their political views and sexual life experiences, and post their photo in their profile.
On top of all that, Hzone’s database also stores messages posted by members – often with personal or sensitive information, such as this:
Hi. I was diagnosed 3 years ago now. CD4 and Viral Load is relatively good. I’m therefore not on Meds yet. My 6-monthly blood tests are due in June. Planning to go in meds. I’m worried about the side effects. What kinds of side effect have you experienced? Xx
Dissent says that DataBreaches.net filed a complaint with the US Federal Trade Commission (FTC) last Wednesday (9 December) urging them to talk some sense into the developer.
The FTC didn’t respond, Dissent says.
Apple’s iTunes App Store did respond when the blog contacted it on Saturday (12 December), saying that it would investigate.
Finally, on Monday night, the database was secured, but only after far more back-and-forth between Vickery, Databreaches.net and an Hzone spokesperson who admitted in an email that the company’s tech team wasn’t exactly what you’d call particularly tech literate.
Dissent’s post is replete with even more scarcely believable details about Hzone.
It’s well worth a read, though you might want to put a pillow down on your desk first if you’re given to head bangery.
I feel the need to echo Dissent’s “User Beware” notice. If you know anybody who might be using Hzone, please do ask them to read her post.
While anyone can have a leak or breach, Hzone’s failure to timely respond to notification, the lack of encryption for stored sensitive data, and their refusal to delete profiles when they have inadequate incident response are truly concerning.