Group sex app leaks locations, pics and personal details identifying users in White House

More than 1.5 million users of a group dating service had their data exposed, including their real-time location because of a vulnerability in the app.

3fun app

The dating site, 3Fun, defines itself as a “private space” where you can meet “local kinky, open-minded people”. But the data wasn’t private at all. Ken Munro, the founder of Pen Test Partners, published its findings  Thursday and shared said it was “probably the worst security for any dating app we’ve ever seen.”

3Fun isn’t the first dating app to have location disclosure issues, apps like Grindr have previously been manipulated through a process called ‘trilateration’, which involves spoofing GPS locations to get exact positions and distances of other users.

3Fun is said to be even less secure because it’s easy for hackers to use something called a ‘GET request’ to find exact coordinates of a user.

Pen Test Partners researchers found the app was leaking the exact location, photos and other private details of any nearby user.

3 fun app

Worse, because the app wasn’t properly secured, the researchers found they could plug in any coordinates they wanted to spoof their location, revealing sensitive information on anyone within any area of their choosing, including government buildings, military bases and even intelligence agencies.

It is possible to find profiles of users at both locations, including their sexual preferences, sexual orientation and their preferred matches; their age; username and their partner’s username; their bio (many of which included expansive, specific and personal information on the user) and their full-resolution profile pictures. In some cases, dates of birth were also exposed.

3fun app

None of the data was encrypted. The researchers called the app a “privacy train wreck.”

If the users are working in these powerful places, then the easily accessible birthday data on the server system could make it possible to work out who they are.

The investigation into the app also found private photos could easily be exposed.

Responding to the claims, 3Fun said: “Thanks for your kindly reminding. We will fix the problems as soon as possible. Do you have any suggestion? Regards, The 3Fun Team”.

© 2019 GCN (Gay Community News). All rights reserved.

Support GCN

GCN has been a vital, free-of-charge information service for Ireland’s LGBT+ community since 1988.

During this global COVID pandemic, we like many other organisations have been impacted greatly in the way we can do business and produce. This means a temporary pause to our print publication and live events and so now more than ever we need your help to continue providing this community resource digitally.

GCN is a registered charity with a not-for-profit business model and we need your support. If you value having an independent LGBT+ media in Ireland, you can help from as little as €1.99 per month. Support Ireland’s free, independent LGBT+ media.

0 comments. Please sign in to comment.