RAW Discovers, Patches Unexpected User Data Leak

A recent security lapse at dating app Raw exposed sensitive user data, including precise location information, to the public, according to an investigation by TechCrunch. The vulnerability allowed anyone with a web browser to access personal information such as display names, birth dates, sexual preferences, and even GPS coordinates accurate to street level.

Raw, launched in 2023, encourages authenticity by requiring users to submit daily selfies. While the company has not disclosed total user numbers, the app has been downloaded over 500,000 times on Android devices alone. Despite advertising end-to-end encryption on its website and privacy policy, testing of the app found no such protections in place. Instead, they discovered that user data could be retrieved directly from the company’s servers without any authentication.

The flaw, known as an insecure direct object reference (IDOR), made it possible to access any user’s data simply by changing a numerical identifier in the URL. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has previously highlighted IDOR vulnerabilities as serious risks that can lead to large-scale data exposure.

Raw patched the issue shortly after being notified, with co-founder Marina Anderson stating, “All previously exposed endpoints have been secured, and we’ve implemented additional safeguards to prevent similar issues in the future.” However, Anderson admitted the app had not undergone a third-party security audit and declined to confirm whether users would be notified about the exposure.