I hacked a dating app (and how not to treat a security researcher)

i have an idea, if you don't know anything about app security, don't make an app. "Whataboutism" not-withstanding, this actually made me feel a little ill, and your comment didn't help. I have younger friends that use dating sites and having their information exposed to whoever wants it is gross, and the people who made it should feel bad.

They should feel bad about not communicating with the "researcher" after the fact, too. If i had been blown off by a "company" after telling them everything was wide open to the world for the taking, the resulting "blog post" would not be so polite.

STOP. MAKING. APPS.

Stop pushing POCs into PROD.

There's nothing wrong with making your POC/MVP with all of the cool logic that shows what the app will do. That's usually done to gain funding of some sort, but before releasing. Part of the releasing stage should be a revamped/weaponized version of the POC, and not the damn POC itself. The weaponized version should have security stuff added.

That's much better than telling people stop making apps.

These "devs" released an app to prod that took passport information and who knows what else. They had no business asking for any of that PII.

If all of the developers were named and shamed, would you, as a hiring manager, ever hire them to develop an app for you? Or would you, in fact, tell them to stop making apps?

They enabled stalkers. There's no possible way to argue that they didn't, you don't know, and some random person just looked into it because their friends mentioned the app and found all of this. I guarantee if anyone with a modicum of security knowledge looks the platform over there's going to be a lot more issues.

It's one thing to be curious and develop something. It's another to seek VC/investments to "build out the service" by collecting PII and not treating it as such. Stop. Making. Apps.

You're shouting into the void. The people making this type of product have zero regard for their users' data, and best engineering or security practices. They're using AI to pump out a product as quickly as possible, and if it doesn't work (i.e. makes them money), they'll do it again with something else.

This can only be solved by regulation.

Programming should require a gouvernment-emited license reserved to alumni of duly certified schools. Possession of a turing-complete compiler of interpreter without permission should be a felony.

If I were ever a hiring manager, hell would have frozen over. But I'm not one for immediately firing someone for making mistakes. Correct the mistake and move on. Some mistakes will never be forgotten, and that dev will forever remember that somethings need extra attention.

Also, if we're talking about a company that had a hiring manager in the process of making an app and did not hire employees with security knowledge somewhere in the process, then the entire company is rotten.

Let me flip this on its head though with your same logic. If you're the type of person that would be willing to provide an app your passport information. Stop. Using. Apps.

These apps are for people who are looking for mates, temporary or otherwise. There may be more nuance than "dummy gave passport info to app"

Not once ever in my quest of looking for a mate did the potential mate ask to see my passport. There are times when common sense must be used. If an app is asking for invasive data that just feels out of place, just stop. The juice isn't worth the squeeze

I had a feeling some would get hung up on the "passport" thing. The "private" intimate chats were leaked, too. And full name, city, university, phone numbers, sexual preferences, and geolocation. And photographs, obviously. I assume the passport/ID stuff was for "verified accounts", but again, none of that crap should be saved in a database - a boolean default false "VERIFIED" in the user table should suffice.

The disclosure didn't show every API endpoint, just a few dealing with auth and profiles. They also mentioned only a few PII, you can tell because there were multiple screenshots spread throughout the post. I'm harping on passport for the reason you specify, too; but mostly that information shouldn't be stored...

You’ve successfully contributed 20 pts to your institutional privilege score; Impressive! You're just one step away from your next badge:

"Class Immobility" (95% of users unlock this without trying!)

How to unlock: Be denied access to an accredited education. Work twice as hard for half the recognition. Watch opportunities pass you by while gatekeepers congratulate themselves!

While previous is an over reactions, the wild west free for all we have is also a problem.

At the end of the day the masses will finally get tired of the fuckery of programmers doing whatever they want and start putting laws in place, and the laws will be passed by the stupidest people among us.

Programmers now should start looking into standards of professional behaviors before they are forced on them by law.

The problem isn't that anyone has access to programming, it's that corporate incentives prioritize profit over quality, security, and ethics.

And sure, if your follow-up is "that won’t change," I get it, but that doesn’t mean the open nature of programming is the problem.

>At the end of the day the masses will finally get tired of the fuckery of programmers doing whatever they want and start putting laws in place, and the laws will be passed by the stupidest people among us.

I agree laws will pass eventually but it won't start from the people. They rarely even think or hear about software security as something other than an amorphous boogie man, and there are no repercussions so any voices are easily forgotten. Eventually, it will be some big tech corp executive or politician moving into government convincing them to create a security auditing authority to extract money from these companies and/or shut them down.

I'm sure we can find some holier than thou types to fill chairs with security auditors for the new "SSC" once it's greenlit.

Setting aside all of the other info that was leaked, knowing that the only profiles you see are actual, real people would be nice.

Way back when I last used a dating site, a significant percentage of profiles ended up being placeholders for scams of some sort.

In fact, several texted me a link to some bogus "identity verification" site under the guise of "I get too many fake bot profile hits"... Read the fine print, and you're actually signing up for hundreds of dollars worth of pron subscriptions.

If the dating app itself verified people were real, AND took reports of spam seriously, AND kept that information in a way that wasn't insecure, it'd be worth it.

End of the day it's an ROI analysis (using the term loosely here, more of a gut feel). What is the cost and benefits of making an app more secure vs pushing out an insecure version faster. Unfortunately in today's business and funding climate, the latter has better pay off (for most things anyways).

Until the balance of incentives changes, I don't see any meaningful change in behavior unfortunately.

> Programming should require a gouvernment-emited license reserved to alumni of duly certified schools.

Nonsese. I've met PhDs in computer science that were easily out-performed by kids fresh out of coding bootcaps. Do you think that spending 5 years doing a few written exampls makes you competent at cyber security? Absurd.

I'm pretty sure the comment was sarcastic. The grandparent comment was so over the top with its moral outrage that sarcasm feels like about the only appropriate response.

There is a point to your comment, but I am afraid you are shouting at the wrong thing.

Instead, I think this is the fair approach: anyone is free to make a website/app/VR world whatever, but if it stores any kind of PII, you had better know what you are doing. The problem is not security. The problem is PII. If someone's AWS key got hacked, leaked and used by others, well it's bad, but that's different from my personal information getting leaked and someone applying for a credit card on my behalf.

We could probably stand to stop treating software engineering like some holy calling for geniuses only and start treating it for what it is: a skilled trade that can be regulated and accredited like all the rest of them. It's really not a wild idea and it wouldn't stop kids (or anyone, really) from learning on their own. My parents taught me how to use tools as a kid and I learned how to fix my own toilet, but I didn't decide that made me qualified to go start plumbing professionally without apprenticing first.

I completely agree! Thank you for this

I am now realizing that it was most likely sarcastic after reading your comment and am now wondering how I didn't take the extreme speech as obvious sarcasm before.

Should've know when they said interpreters and compilers.

Incidentally I replied with sarcasm to theirs as well so it all works out.

> I'm pretty sure the comment was sarcastic.

I can't tell because I've seen the same exact argument being made with a straight face in other discussions.