A huge vulnerability in group dating app 3fun has been found by security researchers which allowed anyone to find the personal information, chat data, private photos, and real time location data of any of the app’s 1.5 million users. The discovery was made by Pen Test Partners, who said that 3fun has “probably the worst security for any dating app we’ve ever seen.” TechCrunch was able to independently verify the vulnerability.
The discovery comes as dating apps are facing renewed scrutiny over the amounts of intensely personal information they hold about their users. TechCrunch notes that multiple dating apps including Jewish dating app JCrush, conservative dating app Donald Daters, and Coffee Meets Bagel have all reported data breaches in the past couple of years, and there are ongoing concerns over Grindr’s ownership by a Chinese company.
Pen Test Partner’s security researchers discovered that 3fun was storing its users location data in the app itself, rather than keeping it securely on its servers. This meant it was a trivial task for the researchers to reveal the data on the client side, even when users are supposedly restricting their location data. This leak meant that Pen Test Partners could discover the locations of 3fun’s users worldwide, where it appeared to find users in the White House, the US Supreme Court, and 10 Downing Street in the UK (although it’s possible that these users were spoofing their locations). It was then able to view these user’s birth dates, sexual orientation, and even photos — regardless of whether they were set to private.
The security researchers notified 3fun about the vulnerability on July 1st, and said that the app’s security flaws have since been addressed. When contacted for comment, a spokesperson for 3fun told The Verge that the company updated the app to a new version on July 8th, and added that, “We will focus on updating our product to make it safer.”
Update August 9th, 7:28AM ET: Updated to add response from 3fun.