Dating app for Trump loners commits YUGE blunder: It leaks more than the West Wing

Donald Daters application more insecure than the president

A much-hyped dating site for Donald Trump supporters in the US is being blasted for shoddy security that may have exposed all of its users to eavesdropping and account theft.

Donald Daters pitches itself as "an American-based singles community connecting lovers, friends, and Trump supporters alike." The app, offered for both iOS and Android, was brought into the national spotlight on Monday when it was featured on Fox News.

Unfortunately, the media offensive appears to have come before the dating service was able to run a decent security assessment. So someone did that for them for free.

Shortly after the glowing profiles of the app went live, infosec researcher Robert Baptiste disclosed the application's makers had poorly secured an internet-facing cloud-hosted backend database containing information including all user names, private conversations via the app, and authentication tokens needed to log into their accounts.

Baptiste confirmed to El Reg that the data is stored on a backend database, and tweeted:

So, basically, everything short of credit card details is available from the mobile app's backend, if you know where and how to look. We'll give you a clue: the app includes the cryptographic keys needed to access the developers' cloud-hosted storage and accounts. These keys can be used to access the databases holding people's profiles. It seems someone bigly ignored some basic security measures.

According to the researcher, the dating app has about 1,607 users who have engaged in a total of 128 conversations, the longest being a discussion between two of the app's developers.

Baptiste was also able to extract information from the Android client:

The makers of Donald Daters did not return a request from El Reg for comment on the matter. SAD. And if you're using this app: don't. ®




Biting the hand that feeds IT © 1998–2018