A hookup app intended to help you organize a threesome has been leaking user data, including real-time locations.
3Fun, which has 1.5 million users, bills itself as "the safest threesome and swingers app" online. But according to the cybersecurity firm Pen Test Partners, 3Fun probably has the worst security it's ever seen on a dating app.
The problem is how the app fetches and returns profile information for other users who are nearby. 3Fun will process the data on the client side (in this case, the user's smartphone) rather than behind a private web server.
Once you look under hood, you can view the data-fetching process in plain text. Make a request for other swingers nearby, and 3Fun will return with information that goes beyond displaying a typical dating profile; it can reveal another user's location data via latitude and longitude and date of birth, in addition to the person's sexual orientation and preferred matches.
"This is a privacy train wreck: how many relationships or careers could be ended through this data being exposed?" the security firm's penetration tester Alex Lomas wrote in a Thursday blog post.
Pen Test Partners demonstrated the privacy risks by posting maps that showed the locations of dozens of 3Fun users in the UK, London, and Washington DC. One 3Fun user even appeared to be located in the White House. "This data can be used to stalk users in near real time, expose their private activities and worse," Pen Test Partners added.
The app's privacy functions also appeared to be useless. Pen Test Partners was able to view profile photos and location data, even when the user had set them to be private.
The good news is that 3Fun's developer claims to have fixed the problems last month. "The users' data is not disclosed. We will continue focusing on providing a safer product for our users," the developer said in an email. However, Pen Test Partners said it suspects the app may have other vulnerabilities.
Gloss