That's bang out of order: Threesome hookup app 3Fun leaked lovers' data, locations, pix – report

Holes supposedly plugged, fnar fnar, but Pen Test Partners believes there may be more

Threesome photo via Shutterstock

UK-based security biz Pen Test Partners describes group sex app 3Fun as having "probably the worst security for any dating app we’ve ever seen."

Worse than an unprotected Elastic database exposing 42.5 million records from various dating apps? Apparently so, even though 3Fun boasts a mere 1.5 million users in the US.

The Elastic database, it seems, didn't include any personal information. But 3Fun has plenty, or did if the company actually managed to apply the fixes mentioned by Pen Test Partners after it disclosed the issue to 3Fun on July 1.

That seems doubtful, however, given the security firm's account of its interaction with 3Fun's developers and in light of the app's dubious design: Location-based query results for potential threesome partners were being stored client-side and then hidden, as if no one could come up with a way to reveal the data.

"That data is only filtered in the mobile app itself, not on the server," said researcher Alex Lomas in a blog post on Thursday. "It’s just hidden in the mobile app interface if the privacy flag is set. The filtering is client-side, so the API can still be queried for the position data."

According to Lomas, the 3Fun app revealed locations of users in near real time, user birth dates, sexual preferences and chat data. And it exposed users' private pictures, whether or not the evidently non-functional privacy flag had been set.

The Register attempted to contact the makers of 3Fun to ask about this, but we've not heard back.

What did Pen Test Partners find? Lomas says the app revealed users in the White House and in the US Supreme Court, not to mention 10 Downing Street in London and elsewhere in the UK.

The caveat, Lomas says, is that a technically savvy user could alter location coordinates. That makes it difficult to be certain the supposed user in the White House, for example, wasn't put there by spoofed location data.

There's a bit less doubt about the authenticity of the pictures, stored in an Amazon S3 bucket, as Pen Test Partners tells it.

"We think there are a whole heap of other vulnerabilities, based on the code in the mobile app and the API, but we can’t verify them," said Lomas. ®

Updated to add

After this story was filed, a spokesperson for 3Fun emailed us to say it has fixed things up. “We took the action immediately and updated a new version on July 8th,” the spokesperson said. ” We will focus on updating our product to make it safer.”




Biting the hand that feeds IT © 1998–2019