←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)
561 points bearsyankees | 3 comments | 12 May 25 16:39 UTC | HN request time: 0.678s | source
Show context
nixpulvis ◴[12 May 25 17:50 UTC] No.43965715[source]
People need to be forced to think twice before taking in such sensitive information as a passport or even just addresses. This sort of thing cannot be allowed to be brushed off as just a bunch of kids making an app.
replies(5): >>43965749 #>>43966078 #>>43966320 #>>43966383 #>>43968604 #
koakuma-chan ◴[12 May 25 17:54 UTC] No.43965749[source]
Were they not using some kind of third party identity verification service? That's what I usually see apps do. Don't tell me those third party services still share your ID with the app (like the actual images)?
replies(1): >>43965830 #
1. nixpulvis ◴[12 May 25 18:00 UTC] No.43965830[source]
Read the article. They clearly have their own OTP setup.

But if they are asking for your passport, then they have access to it. It's not a third party asking and providing them with some checkmark or other reduced risk data.

replies(1): >>43965856 #
2. koakuma-chan ◴[12 May 25 18:02 UTC] No.43965856[source]
I have read the article and OTP has nothing to do with identity verification. I'm asking because every single time I went through identity verification the app used a third party service that is supposed to be trustworthy.
replies(1): >>43965903 #
3. nixpulvis ◴[12 May 25 18:08 UTC] No.43965903[source]
I see what you mean. But they literally had passport front/back URLs, so they aren't using a third party for that either.