3Fun, a dating app for arranging threesomes with more than 1.5 million users, exposed sensitive information, including real-time locations and private pictures.
The app’s lack of security was discovered by Pen Test Partners, which claimed that 3Fun featured what was “probably the worst security for any dating app we’ve ever seen” with none of the user data protected by encryption.
According to Pen Test Partners, other dating apps such as Grindr were criticized for user location disclosures in the past through trilateration, which grabbed a person’s exact location through the exploitation of the “distance from me” feature in apps by spoofing GPS positions.
3Fun, however, extracted the latitude and longitude coordinates of users, and even if they restricted sending that information, the data was still on the server. Through it, Pen Test Partners was able to pinpoint the locations of the group dating app’s users across several major cities. Some were even found in the White House, the U.S. Supreme Court, and in Number 10 Downing Street in London, though they were likely spoofing their locations.
Pen Test Partners also found that the private photos of people on 3Fun were also exposed, even when they used the proper privacy settings. Other exposed user information includes birth dates, gender, sexual orientation, and preferred matches. In addition, users may spoof their location to find out information about other users in a specific area.
Pen Test Partners forwarded its findings to TechCrunch, which ran the same tests and confirmed the findings against 3Fun’s security.
Making matters a bit worse was that when Pen Test Partners reached out to 3Fun on July 1 regarding the data privacy issues, the team behind the app asked for suggestions on what they could do to fix the problems. Pen Test Partners founder Ken Munro told TechCrunch that the 3Fun team took weeks to patch up the issues.
“3fun took action fairly quickly and resolved the problem, but it’s a real shame that so much very personal data was exposed for so long,” according to Pen Test Partners.
The data privacy issues involving dating apps follow the mishap with Coffee Meets Bagel, which announced on Valentine’s Day that an unauthorized party had gained access to user data.