Threesome app exposes user data, locations from London to the White House

‘Special relationships’ appear to also be blooming at Number 10, Downing Street.

Monokle: The 007 of spying malware This Android malware can take photos and videos and spy on your app history. Read more: https://zd.net/2ZmaSfe

There's a mobile application for everything nowadays and platforms for arranging threesomes and hookups are no exception -- but when security fails users, personal lives and careers may be at risk -- a problem highlighted by a data leak discovered in 3Fun.

3Fun, an application described as a "Curious Couples & Singles Dating" platform, is an 18+ service with over 100,000 active installs on Android alone. 3Fun claims to cater to 1.5 million users worldwide. 

While the developers of the app say that privacy protections are in place -- such as through the implementation of private photo albums -- researchers from Pen Test Partners beg to differ. 

According to penetration tester Alex Lomas, the service has earned the accolade of being "probably the worst security for any dating app we've ever seen."

The "privacy trainwreck" not only exposed the near real-time location of users -- whether they were at home, at work, or on the daily commute -- but also leaked dates of birth, sexual preferences, chat information, and private pictures, even if the user has enabled some form of privacy for the latter. 

User data leaks in similar mobile apps, including Grindr and Romeo, have also appeared recently due to what is known as "trilateration" -- the ability to spoof GPS coordinates and abuse 'distance from me' features in an app to zone in on a user's location.

The researchers say that the security issues impacting 3Fun, however, are nowhere near as sophisticated; instead, the app simply leaks your position outright. 

There is no need to make calculations based on the rough distance of a target as the latitude and longitude of a user in close to real-time was simply made available.

While users can restrict location exposure through settings, the researchers say this information, which is sent to 3Fun servers through a GET request, is only filtered on the app itself. 

See also: Google cleans out stalker, spyware apps from Play Store

"It's just hidden in the mobile app interface if the privacy flag is set," the firm noted. "The filtering is client-side, so the API can still be queried for the position data."

As shown below, the exact location of users was accessible by querying the API. Location maps viewed by the team ranged from London as a whole to the home of the prime minister, Number 10, Downing Street, as well as Washington DC, the US Supreme Court, and the White House. 

screenshot-2019-08-09-at-11-39-50.png

screenshot-2019-08-09-at-11-40-01.png

screenshot-2019-08-09-at-11-40-13.png

It is possible to spoof GPS coordinates to have some fun with location tracking and this could be the case when it comes to the seats of power mentioned. However, this does not detract from the seriousness of the overall data leak.

Combined with the exposure of user information including their date of birth, it could be possible to both stalk and unmask individuals. 

In addition, apparently private photos were also available for all to see, as the URLs of images that are meant to be hidden in private albums were exposed during API activity. 

Pen Test Partners believe there are more vulnerabilities to be found in the mobile app and its API but have not been able to investigate further. 

TechRepublic: Black Hat 2019 trends: Social media influence campaigns, big business, ATM hacking

The researchers disclosed their findings to the makers of 3Fun on July 1, 2019. The reaction appears to be less than exemplary:

"Dear Alex, Thanks for your kindly reminding. We will fix the problems as soon as possible. Do you have any suggestion? Regards, The 3Fun Team."

Potential language barriers aside, however, Pen Test Partners said the team obliged by offering some advice and the data leaks were resolved relatively quickly. 

CNET: Android malware that comes preinstalled is a massive threat

"The trilateration and user exposure issues with Grindr and other apps are bad. This is a whole lot worse," the researchers added. "It's easy to track users in near real-time, uncovering very personal information and photos."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0