A security lapse at dating app Raw publicly exposed the personal data and private location data of its users, TechCrunch has found.
The exposed data included users’ display names, dates of birth, dating and sexual preferences associated with the Raw app, as well as users’ locations. Some of the location data included coordinates that were specific enough to locate Raw app users with street-level accuracy.
Raw, which launched in 2023, is a dating app that claims to offer more genuine interactions with others in part by asking users to upload daily selfie photos. The company does not disclose how many users it has, but its app listing on the Google Play Store notes more than 500,000 Android downloads to date.
News of the security lapse comes in the same week that the startup announced a hardware extension of its dating app, the Raw Ring, an unreleased wearable device that it claims will allow app users to track their partner’s heart rate and other sensor data to receive AI-generated insights, ostensibly to detect infidelity.
Notwithstanding the moral and ethical issues of tracking romantic partners and the risks of emotional surveillance, Raw claims on its website and in its privacy policy that its app, and its unreleased device, both use end-to-end encryption, a security feature that prevents anyone other than the user — including the company — from accessing the data.
When we tried the app this week, which included an analysis of the app’s network traffic, TechCrunch found no evidence that the app uses end-to-end encryption. Instead, we found that the app was publicly spilling data about its users to anyone with a web browser.
Raw fixed the data exposure on Wednesday, shortly after TechCrunch contacted the company with details of the bug.
“All previously exposed endpoints have been secured, and we’ve implemented additional safeguards to prevent similar issues in the future,” Marina Anderson, the co-founder of Raw dating app, told TechCrunch by email.
When asked by TechCrunch, Anderson confirmed that the company had not performed a third-party security audit of its app, adding that its “focus remains on building a high-quality product and engaging meaningfully with our growing community.”
Anderson would not commit to proactively notifying affected users that their information was exposed, but said the company would “submit a detailed report to the relevant data protection authorities under applicable regulations.”
It’s not immediately known how long the app was publicly spilling its users’ data. Anderson said that the company was still investigating the incident.
Regarding its claim that the app uses end-to-end encryption, Anderson said Raw “uses encryption in transit and enforces access controls for sensitive data within our infrastructure. Further steps will be clear after thoroughly analyzing the situation.”
Anderson would not say, when asked, whether the company plans to adjust its privacy policy, and Anderson did not respond to a follow-up email from TechCrunch.
How we found the exposed data
TechCrunch discovered the bug on Wednesday during a brief test of the app. As part of our test, we installed the Raw dating app on a virtualized Android device, which allows us to use the app without having to provide any real-world data, such as our physical location.
We created a new user account with dummy data, such as a name and date of birth, and configured our virtual device’s location to appear as though we were at a museum in Mountain View, California. When the app requested our virtual device’s location, we allowed the app access to our precise location down to a few meters.
We used a network traffic analysis tool to monitor and inspect the data flowing in and out of the Raw app, which allowed us to understand how the app works and what kinds of data the app was uploading about its users.
TechCrunch discovered the data exposure within a few minutes of using the Raw app. When we first loaded the app, we found that it was pulling the user’s profile information directly from the company’s servers, but that the server was not protecting the returned data with any authentication.
In practice, that meant anyone could access any other user’s private information by using a web browser to visit the web address of the exposed server — api.raw.app/users/ followed by a unique 11-digit number corresponding to another app user. Changing the digits to correspond with any other user’s 11-digit identifier returned private information from that user’s profile, including their location data.
This kind of vulnerability is known as an insecure direct object reference, or IDOR, a type of bug that can allow someone to access or modify data on someone else’s server because of a lack of proper security checks on the user accessing the data.
As we’ve explained before, IDOR bugs are akin to having a key to a private mailbox, for example, but that key can also unlock every other mailbox on that same street. As such, IDOR bugs can be exploited with ease and in some cases enumerated, allowing access to record after record of user data.
U.S. cybersecurity agency CISA has long warned of the risks that IDOR bugs present, including the ability to access typically sensitive data “at scale.” As part of its Secure by Design initiative, CISA said in a 2023 advisory that developers should ensure their apps perform proper authentication and authorization checks.
Since Raw fixed the bug, the exposed server no longer returns user data in the browser.
