←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)

560 points bearsyankees | 1 comments | 12 May 25 16:39 UTC | HN request time: 0.001s | source

Show context

shayanbahal ◴[12 May 25 18:59 UTC] No.43966407[source]▶

>>43964937 (OP) #

I had a similar experience with another dating app, although they never got back to me. When I tried to get the founders attention by changing his bio to contact me text, they restored a backup lol

years later I saw their instagram ad and tried to see if the issue still exists, and yes it did. Basically anyone with the knowledge of their API endpoints (which is easy to find using the app-proxy-server) you have full on admin capabilities and access to all messages, matching, etc.

I wonder if I should go back and try again... :-?

replies(1): >>43966635 #

cobalt60 ◴[12 May 25 19:23 UTC] No.43966635[source]▶

Why not disclose it as a responsible dev with contacts and move on.

replies(1): >>43966771 #

pixl97 ◴[12 May 25 19:41 UTC] No.43966771[source]▶

If a company is not responsible enough to follow up on security reports you should not follow up, but instead disclose it to the world.

replies(3): >>43966951 #>>43966972 #>>43968390 #

1. ◴[12 May 25 23:25 UTC] No.43968390[source]▶