Most active commenters
  • nixpulvis(7)
  • behringer(3)

←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)
560 points bearsyankees | 26 comments | 12 May 25 16:39 UTC | HN request time: 0.635s | source | bottom
1. nixpulvis ◴[12 May 25 17:50 UTC] No.43965715[source]
People need to be forced to think twice before taking in such sensitive information as a passport or even just addresses. This sort of thing cannot be allowed to be brushed off as just a bunch of kids making an app.
replies(5): >>43965749 #>>43966078 #>>43966320 #>>43966383 #>>43968604 #
2. koakuma-chan ◴[12 May 25 17:54 UTC] No.43965749[source]
Were they not using some kind of third party identity verification service? That's what I usually see apps do. Don't tell me those third party services still share your ID with the app (like the actual images)?
replies(1): >>43965830 #
3. nixpulvis ◴[12 May 25 18:00 UTC] No.43965830[source]
Read the article. They clearly have their own OTP setup.

But if they are asking for your passport, then they have access to it. It's not a third party asking and providing them with some checkmark or other reduced risk data.

replies(1): >>43965856 #
4. koakuma-chan ◴[12 May 25 18:02 UTC] No.43965856{3}[source]
I have read the article and OTP has nothing to do with identity verification. I'm asking because every single time I went through identity verification the app used a third party service that is supposed to be trustworthy.
replies(1): >>43965903 #
5. nixpulvis ◴[12 May 25 18:08 UTC] No.43965903{4}[source]
I see what you mean. But they literally had passport front/back URLs, so they aren't using a third party for that either.
6. jonny_eh ◴[12 May 25 18:25 UTC] No.43966078[source]
There should to be some kind of government operated identity confirmation service that is secure/private.

Or by someone "government-like" such as Apple or Google.

replies(4): >>43966153 #>>43966160 #>>43967625 #>>43969390 #
7. clifflocked ◴[12 May 25 18:33 UTC] No.43966153[source]
OAuth exists and can be used to confirm someone's identity by linking their Google account.
replies(3): >>43966180 #>>43966304 #>>43966328 #
8. behringer ◴[12 May 25 18:34 UTC] No.43966160[source]
when I worked for the government, within 2 months they had leaked all of my data to the black market.

Governments should not be confirming shit.

replies(1): >>43966794 #
9. nixpulvis ◴[12 May 25 18:36 UTC] No.43966180{3}[source]
To be fair, I wouldn't want my google account linked to my dating profile. Aggregating services has risks too.
replies(1): >>43966203 #
10. knicholes ◴[12 May 25 18:38 UTC] No.43966203{4}[source]
Maybe secondary google account.
replies(1): >>43969394 #
11. smt88 ◴[12 May 25 18:49 UTC] No.43966304{3}[source]
A Google account does nothing to prove identity
12. kelnos ◴[12 May 25 18:50 UTC] No.43966320[source]
And for things like passport or other ID details, there's also no reason to expose them publicly at all after they've been entered. If you want an API available to fetch the data so you can display it in the UI, there's no need to include the full passport/ID number; at the very least it can be obscured with only the last few digits sent back via the API.

But for something like a dating site, It's enough for the API to just return a boolean verified/not-verified for the ID status (or an enum of something like 'not-verified', 'passport', 'drivers-license', etc.). There's no real need to display any of the details to the client/UI.

(In contrast with, say, and airline app where you need to select an identity document for immigration purposes, where you'd want to give the user more details so they can make the choice. But even then, as they do in the United app, they only show the last few digits of the passport number... hopefully that's all that's sent over their internal API as well.)

13. kelnos ◴[12 May 25 18:52 UTC] No.43966328{3}[source]
Linking a Google account doesn't confirm your identity, though. It just confirms that you created a Google account with a particular name.
14. VBprogrammer ◴[12 May 25 18:57 UTC] No.43966383[source]
The UK government are trying really hard to mandate IDs for access to porn sites. Can't wait for that to blow up in their faces.
replies(2): >>43966783 #>>43984954 #
15. pixl97 ◴[12 May 25 19:43 UTC] No.43966783[source]
"They" don't care, the entire point of many of these laws is to increase the friction and fear of being disclosed that you don't visit these sites in the first place.
16. pixl97 ◴[12 May 25 19:45 UTC] No.43966794{3}[source]
The government already has all your data so I'm not sure who you think should be confirming identity.
replies(1): >>43967532 #
17. behringer ◴[12 May 25 21:15 UTC] No.43967532{4}[source]
and my point is that they leak it. So it's hardly useful to have them both house and confirm the data when they can't house it properly.

They'll be confirming data that is publicly available.

replies(1): >>43967610 #
18. jonny_eh ◴[12 May 25 21:26 UTC] No.43967610{5}[source]
But what additional data are you worried about them having?
replies(1): >>43998986 #
19. steeeeeve ◴[12 May 25 21:28 UTC] No.43967625[source]
Government is the worst possible solution to every problem.

(not an attack on you. I have to say that every time I see someone say anything along the lines of "the government should do it")

replies(1): >>43968361 #
20. GuinansEyebrows ◴[12 May 25 23:20 UTC] No.43968361{3}[source]
Government is made the worst possible solution thanks to lobbying and lawyers. It doesn't have to be this way.
21. vincvinc ◴[13 May 25 00:07 UTC] No.43968604[source]
See; GDPR

https://en.wikipedia.org/wiki/General_Data_Protection_Regula...

replies(1): >>43969403 #
22. nixpulvis ◴[13 May 25 03:16 UTC] No.43969390[source]
I would rather see an FDPA (Federal Data Protection Administration) which goes after people who get this stuff wrong.
23. nixpulvis ◴[13 May 25 03:18 UTC] No.43969394{5}[source]
Yea, but then what I have to upload my passport through a service linked to that secondary. It's not really tenable.
24. nixpulvis ◴[13 May 25 03:19 UTC] No.43969403[source]
The US desperately needs similar legislation.
25. webninja ◴[14 May 25 14:26 UTC] No.43984954[source]
Generally speaking, the UK government doesn’t care about it's citizens. That’s why so many left to the USA for a better life.
26. behringer ◴[15 May 25 20:28 UTC] No.43998986{6}[source]
If a private company can't do it. You can bet double or nothing that the government can't do it:

https://news.ycombinator.com/item?id=43996307