Group sex app leaks locations, pics and personal details identifying users in White House

More than 1.5 million users of a group dating service had their data exposed, including their real-time location because of a vulnerability in the app.

3fun app

The dating site, 3Fun, defines itself as a “private space” where you can meet “local kinky, open-minded people”. But the data wasn’t private at all. Ken Munro, the founder of Pen Test Partners, published its findings  Thursday and shared said it was “probably the worst security for any dating app we’ve ever seen.”

3Fun isn’t the first dating app to have location disclosure issues, apps like Grindr have previously been manipulated through a process called ‘trilateration’, which involves spoofing GPS locations to get exact positions and distances of other users.

3Fun is said to be even less secure because it’s easy for hackers to use something called a ‘GET request’ to find exact coordinates of a user.

Pen Test Partners researchers found the app was leaking the exact location, photos and other private details of any nearby user.

3 fun app

Worse, because the app wasn’t properly secured, the researchers found they could plug in any coordinates they wanted to spoof their location, revealing sensitive information on anyone within any area of their choosing, including government buildings, military bases and even intelligence agencies.

It is possible to find profiles of users at both locations, including their sexual preferences, sexual orientation and their preferred matches; their age; username and their partner’s username; their bio (many of which included expansive, specific and personal information on the user) and their full-resolution profile pictures. In some cases, dates of birth were also exposed.

3fun app

None of the data was encrypted. The researchers called the app a “privacy train wreck.”

If the users are working in these powerful places, then the easily accessible birthday data on the server system could make it possible to work out who they are.

The investigation into the app also found private photos could easily be exposed.

Responding to the claims, 3Fun said: “Thanks for your kindly reminding. We will fix the problems as soon as possible. Do you have any suggestion? Regards, The 3Fun Team”.

© 2019 GCN (Gay Community News). All rights reserved.

Support GCN

For 30 years GCN has been a vital, free-of-charge information service for Ireland’s LGBT+ community. We want to go on providing this community hub in print and online, helping countless individuals across the country, but the revenue from advertising across the media is falling.

GCN needs your support. If you value having an independent LGBT+ media in Ireland, you can help from only €1.99 per month. Support Ireland’s free, independent LGBT+ media.

0 comments. Please sign in to comment.