Hookup app ‘3fun’ made for arranging threesomes exposed personal information, photos, and exact locations of over a MILLION users, including some at the WHITE HOUSE, in ‘privacy train-wreck’
- Security researchers at Pen Test Partners found vulnerabilities in the app ‘3fun’
- They found it was easy to obtain location, sexual orientation, birthday, photos
- Users were pinpointed in spots including the White House and Supreme Court
- But, the team notes that a tech savvy user could alter their own location as a joke
- Researchers say easy availability of data put users at risk of stalking or ‘worse’
- After alerting 3fun of the problem, the researchers say the company resolved it
An app designed to facilitate group sex meetups between strangers has left the sensitive information of its 1.5 million users easily accessible, in what experts say is ‘probably the worst security for any dating app we’ve ever seen.’
In an alarming new report, the team at Pen Test Partners says the service 3fun exposes everything from near-real time locations and sexual orientations to pictures uploaded by its users – even if they’re set to private.
With personal information such as birthdays, gender, and geographic coordinates available, the researchers say it’s ‘fairly easy’ to work out exactly who and where a specific user is.
In an alarming new report, the team at Pen Test Partners says the service 3fun exposes everything from near-real time locations and sexual orientations to pictures uploaded by its users – even if they’re set to private
The app describes itself as the best platform for ‘meeting local kinky, open-minded people for threesome and swinger lifestyle.’
On the App Store, 3fun ironically boasts of its security, touting hidden profiles and private photos that can only be viewed by your matches.
But, the Pen Test investigation shows this is far from the truth.
The researchers found 3fun leaks all sorts of private information, meaning it’s available without having to ‘spoof’ the system – a technique that’s been exploited in the past on other dating apps such as Grindr.
While users can opt-out of having their latitude and longitude sent to the app, the data remain available on the server.
With relatively little effort, the team was able to pinpoint dozens of users’ exact locations in both the US and UK.
With personal information such as birthdays, gender, and geographic coordinates available, the researchers say it’s ‘fairly easy’ to work out exactly who and where a specific user is
The app, designed to facilitate group sex meetups between strangers, has left the sensitive information of its 1.5 million users easily accessible, in what experts say is ‘probably the worst security for any dating app we’ve ever seen.’
Some even appeared to be in the White House and the Supreme Court, though the team notes that could be the mark of ‘a tech savvy user having fun making their position.’
Pen Test was also able to obtain users’ photos.
The Pen Test investigation highlights worrying vulnerabilities that could put users at risk of stalking or having their info exposed
As the team points out, the potential for misuse is worrying. With the data available from the app, a person with nefarious intentions could ‘stalk users in near real-time, expose their private activities, and worse,’ Pen Test notes.
After uncovering the shocking extent of the app’s vulnerabilities, the security researchers notified 3fun on July 1 in effort to let them rectify the situation.
But, their response was ‘concerning’ too.
In a three-sentence reply, 3fun thanked the researchers for ‘reminding’ them of the issue and promised to fix it ‘as soon as possible’ – before asking for suggestions on how to do so.
Even taking potential language barriers into account, the Pen Test team notes that asking for advice on this front is ‘unusual.’
In any case, Pen Test did provide tips and says 3fun quickly put a fix into place.
‘But,’ the researchers note, ‘it’s a real shame that so much very personal data was exposed for so long.’
HOW CAN YOU PROTECT YOUR INFORMATION ONLINE?
Because hackers are becoming more creative, security experts are warning that consumers need to take all possible measures to protect their identities (file photo)
- Make your authentication process two-pronged whenever possible. You should choose this option on websites that offer it because when an identity-specific action is required on top of entering your password and username, it becomes significantly harder for fraudsters to access your information.
- Secure your phone. Avoiding public Wifi and installing a screen lock are simple steps that can hinder hackers. Some fraudsters have begun to immediately discount secure phones altogether. Installing anti-malware can also be beneficial.
- Subscribe to alerts. A number of institutions that provide financial services, credit card issuers included, offer customers the chance to be notified when they detect suspicious activity. Turn those notifications on to stay informed about credit card activity linked to your account.
- Be careful when issuing transactions online. Again, some institutions offer notifications to help with this, which will alert you when your card is used online. It might also be helpful to institute limits on amounts that can be spent with your card online.
