View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Sex App Leak Suggests Three in a Bed in 10 Downing Street

There were three in the bed, and a GET request said...

By CBR Staff Writer

A mobile sex app used by those looking for a discreet menage-a-trois has ejaculated the real time locations of users – along with dates of birth, sexual preferences, chat data and private pictures – all over the internet, according to a penetration testing company.

3fun, which boasts 1,500,000 users, was described by Pen Test Partners as a “privacy train wreck”. It even exposes users private pictures when privacy settings are on. The company described it as having “the worst security for any dating app we’ve ever seen.”

The key issue: data is only filtered in the mobile app itself, not on the server. “It’s just hidden in the mobile app interface if the privacy flag is set. The filtering is client-side, so the API can still be queried for the position data.”

When it comes to location, it gets worse. As UK-based Pen Test Partners notes in a blog: “Several dating apps including grindr have had user location disclosure issues before, through what is known as ‘trilateration’. This is where one takes advantage of the ‘distance from me’ feature in an app and fools it. By spoofing your GPS position and looking at the distances from the user, we get an exact position. But, 3fun is different. It just ‘leaks’ your position to the mobile app. It’s a whole order of magnitude less secure.”

3fun leak

Testing the app for security issues, the firm found no shortage. It also spotted users apparently in Number 10 Downing Street and the White House.

Pen Test Partners said in a blog: “Here’s the data that is sent to the users mobile app from 3fun systems. It’s made in a GET request like this.” [Illustration below].

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

The company notified the app makers in early June, getting the response: “Dear Alex, Thanks for your kindly reminding. We will fix the problems as soon as possible. Do you have any suggestion? Regards, The 3Fun Team.”

(The company suggested some fixes and pulling the app offline while they made them).

sex app 3fun

Users appear to be in the White House and in the Prime Minister’s residence, although, as Pen Test Partners notes, “It’s technically possible to re-write ones position, so it could be a tech savvy user having fun making their position appear as if they are in the seat of power.”

The rest of the location data, down to house level, is likely to be genuine. 3fun says it has updated security as of July 8, adding “we will focus on updating our product to make it safer.”

See also: Why Mobile Apps are a Headache for Critical Public Services

 

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU