←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)
561 points bearsyankees | 3 comments | 12 May 25 16:39 UTC | HN request time: 0s | source
Show context
michaelteter ◴[12 May 25 17:34 UTC] No.43965514[source]
Not excusing this is any way, but this app is apparently a fairly junior effort by university students. While it should make every effort to follow good security (and communication) practices, I'd not be too hard on them considering how some big VC funded "adult" companies behave when presented with similar challenges.

https://georgetownvoice.com/2025/04/06/georgetown-students-c...

replies(10): >>43965600 #>>43965723 #>>43965782 #>>43966035 #>>43966222 #>>43966281 #>>43966578 #>>43967558 #>>43968803 #>>43969670 #
genewitch ◴[12 May 25 17:50 UTC] No.43965723[source]
i have an idea, if you don't know anything about app security, don't make an app. "Whataboutism" not-withstanding, this actually made me feel a little ill, and your comment didn't help. I have younger friends that use dating sites and having their information exposed to whoever wants it is gross, and the people who made it should feel bad.

They should feel bad about not communicating with the "researcher" after the fact, too. If i had been blown off by a "company" after telling them everything was wide open to the world for the taking, the resulting "blog post" would not be so polite.

STOP. MAKING. APPS.

replies(5): >>43965917 #>>43966137 #>>43966193 #>>43967241 #>>43967547 #
dylan604 ◴[12 May 25 18:10 UTC] No.43965917[source]
Stop pushing POCs into PROD.

There's nothing wrong with making your POC/MVP with all of the cool logic that shows what the app will do. That's usually done to gain funding of some sort, but before releasing. Part of the releasing stage should be a revamped/weaponized version of the POC, and not the damn POC itself. The weaponized version should have security stuff added.

That's much better than telling people stop making apps.

replies(1): >>43966049 #
genewitch ◴[12 May 25 18:22 UTC] No.43966049[source]
These "devs" released an app to prod that took passport information and who knows what else. They had no business asking for any of that PII.

If all of the developers were named and shamed, would you, as a hiring manager, ever hire them to develop an app for you? Or would you, in fact, tell them to stop making apps?

They enabled stalkers. There's no possible way to argue that they didn't, you don't know, and some random person just looked into it because their friends mentioned the app and found all of this. I guarantee if anyone with a modicum of security knowledge looks the platform over there's going to be a lot more issues.

It's one thing to be curious and develop something. It's another to seek VC/investments to "build out the service" by collecting PII and not treating it as such. Stop. Making. Apps.

replies(1): >>43966208 #
dylan604 ◴[12 May 25 18:39 UTC] No.43966208[source]
If I were ever a hiring manager, hell would have frozen over. But I'm not one for immediately firing someone for making mistakes. Correct the mistake and move on. Some mistakes will never be forgotten, and that dev will forever remember that somethings need extra attention.

Also, if we're talking about a company that had a hiring manager in the process of making an app and did not hire employees with security knowledge somewhere in the process, then the entire company is rotten.

Let me flip this on its head though with your same logic. If you're the type of person that would be willing to provide an app your passport information. Stop. Using. Apps.

replies(2): >>43966233 #>>43966641 #
genewitch ◴[12 May 25 18:42 UTC] No.43966233[source]
These apps are for people who are looking for mates, temporary or otherwise. There may be more nuance than "dummy gave passport info to app"
replies(1): >>43966363 #
1. dylan604 ◴[12 May 25 18:55 UTC] No.43966363{3}[source]
Not once ever in my quest of looking for a mate did the potential mate ask to see my passport. There are times when common sense must be used. If an app is asking for invasive data that just feels out of place, just stop. The juice isn't worth the squeeze
replies(2): >>43966520 #>>43967154 #
2. genewitch ◴[12 May 25 19:11 UTC] No.43966520[source]
I had a feeling some would get hung up on the "passport" thing. The "private" intimate chats were leaked, too. And full name, city, university, phone numbers, sexual preferences, and geolocation. And photographs, obviously. I assume the passport/ID stuff was for "verified accounts", but again, none of that crap should be saved in a database - a boolean default false "VERIFIED" in the user table should suffice.

The disclosure didn't show every API endpoint, just a few dealing with auth and profiles. They also mentioned only a few PII, you can tell because there were multiple screenshots spread throughout the post. I'm harping on passport for the reason you specify, too; but mostly that information shouldn't be stored...

3. zdragnar ◴[12 May 25 20:31 UTC] No.43967154[source]
Setting aside all of the other info that was leaked, knowing that the only profiles you see are actual, real people would be nice.

Way back when I last used a dating site, a significant percentage of profiles ended up being placeholders for scams of some sort.

In fact, several texted me a link to some bogus "identity verification" site under the guise of "I get too many fake bot profile hits"... Read the fine print, and you're actually signing up for hundreds of dollars worth of pron subscriptions.

If the dating app itself verified people were real, AND took reports of spam seriously, AND kept that information in a way that wasn't insecure, it'd be worth it.