←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)
560 points bearsyankees | 3 comments | 12 May 25 16:39 UTC | HN request time: 0.669s | source
Show context
swyx ◴[12 May 25 16:57 UTC] No.43965120[source]
> Since then, I have reached out multiple times (on March 5 and March 13) seeking updates on remediation and user notification plans. Unfortunately, as of today’s publication date (April 21, 2025), I have been met with radio silence. To my knowledge, Cerca has not publicly acknowledged this incident or informed users about this vulnerability, despite their earlier assurances to me. They also never followed up with me following our call and ignored all my follow up emails.

there can always be another side to this story but also wtf. this kind of shit makes me want to charles-proxy every new app i run because who knows what security any random startup has

replies(2): >>43965162 #>>43965832 #
genewitch ◴[12 May 25 18:00 UTC] No.43965832[source]
I'd not heard of Charles Proxy nor gobuster.

Years ago there was a firmware for mango travel routers that let you MITM anything connected to it, and i bought two of them, and then the information about how to set it up disappeared (i can't find it). the GL.iNet mango travel routers, is what i mean. I have one wireguarded with the switch set to shut off access or wireguard only; the other one is for IOT devices and is connected via 10mbit, so even if someone managed to hack one of the two IOT things here they couldn't exfil very much, and i'd notice the blinking.

replies(1): >>43965930 #
1. andrewmcwatters ◴[12 May 25 18:11 UTC] No.43965930[source]
Charles Proxy has been in the industry for many years now. It's a common tool for basic reverse engineering.
replies(1): >>43966189 #
2. nerdsniper ◴[12 May 25 18:37 UTC] No.43966189[source]
Somewhat downplaying it. Charles is easily the most popular tool for reverse engineering client-server communications in mobile apps.

Certificate pinning frustrates Charles by hampering MITM attempts. It can be difficult to extract/replace pinned certificates from the latest versions of Android/iOS apps. Often you can extract them from older versions using specialized tools, if old-enough versions exist and those certificates are still valid for API endpoints of interest.

replies(1): >>43966250 #
3. andrewmcwatters ◴[12 May 25 18:43 UTC] No.43966250[source]
Yeah, I definitely did. lol

It's like saying IDA Pro is just an interesting piece of software for looking at binaries, but the grandparent comment is surely from someone who doesn't look at these utilities, so I guess that's why I didn't press it.