'Yelp for conservatives' MAGA app leaks users data

63red Safe app left its backend API exposed online without authentication.

MAGA hat

A new mobile app described as the "Yelp for conservatives" is leaking user records and business reviews, according to a French security researcher.

The app, named "63red Safe," features a motto of "keeping conservatives safe" and was launched over the weekend on the Apple and Google mobile app stores.

The app describes itself as a service where users can read or write "reviews of local restaurant and businesses from a conservative perspective, helping insure[sic] you're safe when you shop and eat!"

In media interviews, Scott Wallace, the app's creator said he built the app after a series of incidents where conservatives were forced to leave or take MAGA gear off to eat at restaurants or enter various businesses across the US.

But according to Baptiste Robert, a French security researcher who goes online under the pseudonym of Elliot Anderson (the name of the main character from the Mr. Robot TV show about hackers), the 63red Safe app is leaking almost all of its data.

Robert says the app's source code contains the credentials of its author, but also a list of API endpoints to which it connects to store or retrieve data.

This backend API doesn't use any form of authentication, Robert said. This means that anyone can look at the app's source code, get the API endpoints, and then extract data from the app's server with no challenge or restriction.

63red Safe API endpoints

Image: Robert Baptise

Using this technique, the French researcher was able to determine that 4,466 users had registered and created profiles since the app's launch over the weekend.

For each profile, Robert said he was able to retrieve information such as username, email, avatar, follower count, following count, profile creation/update dates, a ban status, and something called a "hotscore."

63Red Safe user data

Image: Robert Baptise

Other API endpoints also allowed Robert to block users and tamper with the apps database logs and hide unauthorized intrusions.

ZDNet asked Robert in an interview earlier today if he could also tamper with the user reviews of certain restaurants or businesses.

"I didn't test, but I was able to do almost everything, to be frank," Robert told us.

Asked why he looked into the 63red Safe app, the researcher said this was because he found a similar leak in another mobile app for US-based conservatives in the past.

"Some months ago I analyzed the Donald Daters app three hours after its release. I thought it was fun to analyze the same kind of 'Donald Trump' related app," he told ZDNet.

As for 63red and the safety of its users, the researcher says he didn't notify the company of his findings, which he shared publicly in a Twitter thread.

"I didn't contact them," Robert told us. "Let's say I don't really like Trump fans."

The company also develops two other conservatives-focused apps named 63red News and 63red Talk, and working on another named 63red Gather. Robert hasn't looked into these apps yet, but he told ZDNet he will.

ZDNet has contacted 63red and its founder about Robert's findings earlier today so the company can take action and update its app to protect users' data.

"We take this matter very seriously, and have already taken action to additionally protect our data," a company spokesperson told ZDNet via email. "The security of our users, and conservatives generally, is our primary concern, and we will continue to improve our systems in any way possible to guarantee their safety."

"The individual who noticed the original issue never gained access to any user's passwords, nor were they able to change or alter any data on our servers, nor were they able to login to our servers or access our databases directly," the company said. "The sensitive information in which they were able to access has now been additionally protected."

"As we have seen across the United States, conservatives particularly have come under attack for their political beliefs - verbally, physically, and electronically. This is unacceptable in a free society, and we will take every action to stop it, and assist our users in that as well.

"We see this person's illegal and failed attempts to access our database servers as a politically-motivated attacked, and will be reporting it to the FBI later today," 63red added. "We hope that, just as in the case of many other politically-motivated internet attacks, this perpetrator will be brought to justice, and we will pursue this matter, and all other attacks, to the utmost extent of the law.  We log all activity against all our servers, and will present those logs as evidence of a crime."

Article updated with 63red statements.

More data breach coverage: