I hacked a dating app (and how not to treat a security researcher)

I had a similar experience with another dating app, although they never got back to me. When I tried to get the founders attention by changing his bio to contact me text, they restored a backup lol

years later I saw their instagram ad and tried to see if the issue still exists, and yes it did. Basically anyone with the knowledge of their API endpoints (which is easy to find using the app-proxy-server) you have full on admin capabilities and access to all messages, matching, etc.

I wonder if I should go back and try again... :-?

Why not disclose it as a responsible dev with contacts and move on.

If a company is not responsible enough to follow up on security reports you should not follow up, but instead disclose it to the world.

I think it took so long that I moved on, but you are right and I should have done that. Probably I'll take a look again to see if I can do it now :)

Been there. Nagged the city of Seattle for nearly two years about fixing their insecure digital wallets, and in return they just acted weird to me and never really fixed the problem. Wouldn't tell me anything not even the vendor so I could communicate to them that this issue could exist elsewhere. The goal of these tactics is to delay long enough that you give up on publishing. So publish. Just be ethical and stay within the bounds of the law on what you access and release.

I did a quick test and seems like the full admin access that I used to get is slightly fixed/changed. I'm wondering if there was an issue and I have enough data to show there were full compromised of all users data, but it is changed now (might still be vulnerable but let's say it's not). should I still release something? they should have notified their users of such an issue right?