The app, described as a “Curious Couples & Singles Dating” platform, was inspected by security researchers from Pen Test Partners, who discovered the vulnerability, describing it as “probably the worst security for any dating app we’ve ever seen.”
Personal information, sexual preferences, private photos, chat data and users’ real-time locations were all exposed because of the lack of proper user security. 3fun was storing its users’ location data in the app itself, as opposed to keeping it securely on its servers. This allowed the researchers to uncover the data on the client side, even for users who had restricted their location data.
The locations included the White House, the US Supreme Court, and 10 Downing Street in London. However, the security experts did note that it’s “technically possible” that these users faked their locations.
TechCrunch ran the same tests as Pen Test Partners and confirmed its findings. They were able to modify their current geolocation to any set of coordinates, including the White House and the headquarters of the CIA.
Moreover, none of the data was encrypted. The researchers called the app a “privacy trainwreck.” The researchers contacted 3Fun on July 1 to report the bugs, yet Pen Test Partners said the app maker took weeks to fix the issues.