←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)
560 points bearsyankees | 2 comments | 12 May 25 16:39 UTC | HN request time: 0.456s | source
Show context
michaelteter ◴[12 May 25 17:34 UTC] No.43965514[source]
Not excusing this is any way, but this app is apparently a fairly junior effort by university students. While it should make every effort to follow good security (and communication) practices, I'd not be too hard on them considering how some big VC funded "adult" companies behave when presented with similar challenges.

https://georgetownvoice.com/2025/04/06/georgetown-students-c...

replies(10): >>43965600 #>>43965723 #>>43965782 #>>43966035 #>>43966222 #>>43966281 #>>43966578 #>>43967558 #>>43968803 #>>43969670 #
selcuka ◴[13 May 25 00:53 UTC] No.43968803[source]
Fair point, but come on. Not returning the OTP (which is supposed to be a secret) in the response payload is common sense, whether you are a seasoned developer or a high school student.

It is also a commercial product, not something they made for fun:

    In-App Purchases
    - Cerca App $9.99
    - Cerca App 3 month $9.99
    - 10 Swipes $2.99
    - 3 Swipes $0.99
    - 5 swipes $1.99
    - 3 Searches $1.99
    - 10 Searches $3.99
    - 5 Searches $2.99
replies(1): >>43969536 #
1. root_axis ◴[13 May 25 03:55 UTC] No.43969536[source]
Sadly, it's not common sense. I've worked with dozens of people who just throw arbitrary state into front-end response payloads because they're lazy and just push to the front-end whatever comes from the service API.
replies(1): >>43973022 #
2. selcuka ◴[13 May 25 13:53 UTC] No.43973022[source]
> because they're lazy

Exactly my point. The reason is not being a university student. It's laziness, or not taking your job seriously.