On its first day.
The app, available on Apple and Android, went live on Monday morning and Fox News reported that Donald Daters is “open to everyone.” Unfortunately, Donald Daters turned out to be open in ways you really don’t want your app to be.
After Fox’s report was widely picked up by other media outlets, French security researcher Baptiste Robert – who also goes by the Mr. Robot-inspired handle Elliot Alderson – discovered that the app was exposing user information in an open database, including biographical details such as user names and profile photos. It was also exposing what could have been tokens for session IDs that would allow attackers to log into peoples’ accounts and private messages.
Don’t use this app, Robert told Trump supporters:
Hi @FoxNews and @realDonaldTrump supporters,— Elliot Alderson (@fs0c131y) October 15, 2018
You should not use this app. In 5 minutes, I managed to get:
- the list of all the people registered
- personal messages
- token to steal their session
Thread ⬇️ https://t.co/72KdNJTrmk
Motherboard reports that the exposed database included alleged private messages between accounts. It wasn’t able to confirm their veracity, given that users can only send messages for free to one another after a Tinder-style match or if they pony up the monthly $29.99 fee (a one-year subscription costs $9.99/month). Motherboard didn’t check out the potential login tokens because doing so would be legally problematic.
Robert told Motherboard that the issue is “super easy to replicate.”
Robert said that he could get at the data thanks to a publicly exposed Firebase data repository that was hardcoded in the dating app. TechCrunch reports that soon after it contacted the app maker, the data was pulled offline.
Donald Daters was founded by Emily Moreno, a former aide to Senator Marco Rubio. She sent out this statement confirming the exposure on Tuesday:
We have taken swift and decisive action to remedy the mistake and make all possible efforts to prevent this from happening again. Out of an abundance of caution, we have temporarily suspended the chat service on the app while we implement new security protocols. We are also taking immediate steps to engage a leading, independent cybersecurity firm to pressure test the system to ensure it is secure against other vulnerabilities.
Now read this
Donald Daters isn’t the only app for the love-lorn to suffer privacy issues: