A mobile sex app used by those looking for a discreet menage-a-trois has ejaculated the real time locations of users – along with dates of birth, sexual preferences, chat data and private pictures – all over the internet, according to a penetration testing company.
3fun, which boasts 1,500,000 users, was described by Pen Test Partners as a “privacy train wreck”. It even exposes users private pictures when privacy settings are on. The company described it as having “the worst security for any dating app we’ve ever seen.”
The key issue: data is only filtered in the mobile app itself, not on the server. “It’s just hidden in the mobile app interface if the privacy flag is set. The filtering is client-side, so the API can still be queried for the position data.”
When it comes to location, it gets worse. As UK-based Pen Test Partners notes in a blog: “Several dating apps including grindr have had user location disclosure issues before, through what is known as ‘trilateration’. This is where one takes advantage of the ‘distance from me’ feature in an app and fools it. By spoofing your GPS position and looking at the distances from the user, we get an exact position. But, 3fun is different. It just ‘leaks’ your position to the mobile app. It’s a whole order of magnitude less secure.”