icon bookmark-bicon bookmarkicon cameraicon checkicon chevron downicon chevron lefticon chevron righticon chevron upicon closeicon v-compressicon downloadicon editicon v-expandicon fbicon fileicon filtericon flag ruicon full chevron downicon full chevron lefticon full chevron righticon full chevron upicon gpicon insicon mailicon moveicon-musicicon mutedicon nomutedicon okicon v-pauseicon v-playicon searchicon shareicon sign inicon sign upicon stepbackicon stepforicon swipe downicon tagicon tagsicon tgicon trashicon twicon vkicon yticon wticon fm
9 Aug, 2019 12:54

Group sex app with ‘worst security ever seen’ exposes users in White House & Downing St

Group sex app with ‘worst security ever seen’ exposes users in White House & Downing St

A massive vulnerability has been exposed in the group dating app 3fun, with researchers gaining access to a trove of information on its users. In a further twist, users were uncovered in the corridors of power in the US and UK.

The app is described as a “Curious Couples & Singles Dating” platform. One would think that security would rank fairly high on the agenda for such a service; however that was clearly not the case as the Pen Test Partners security researchers, who discovered the vulnerability, described what they felt was “probably the worst security for any dating app we’ve ever seen.”

Personal information, sexual preferences, private photos, chat data and users’ real time locations were all exposed due to 3fun’s shoddy security practices.

Also on rt.com Snapchat sex scandal: Aussie athlete accused of sending genital pictures to underage teammates

The leak was due to 3fun storing its users’ location data in the app itself, as opposed to keeping it securely on its servers. This allowed the researchers to uncover the data on the client side, even for users who had restricted their location data. 

The vulnerability meant that Pen Test Partners could discover the locations of 3fun’s users around the globe. Amazingly users were found in the White House, the US Supreme Court, and at 10 Downing Street in London. However the security experts did concede that it’s “technically possible” that these users faked their locations.

Pen Test Partners made 3fun aware of the bugs on July 1; however, it took weeks to address the issues. TechCrunch was able to independently verify the app’s vulnerability.

Like this story? Share it with a friend!

Podcasts
0:00
25:25
0:00
27:21