Dating App ‘Raw’ Accidentally Rawdogs Users’ Location Data, Personal Info

A dating app that, just this week, announced a creepy new wearable, has been found to have publicly exposed users’ data. The data was granular and personal, including their approximate locations.

The app, Raw, says it is dedicated to promoting “real and unfiltered love” through its unique user interface, which resembles BeReal (it utilizes the front and back cameras of your phone), but for dating. Raw also recently announced a bizarre new piece of hardware, called the Raw ring, which purports to allow users to track the location of their lovers to ensure they’re not cheating (there’s no way that could ever lead to problematic scenarios, right?). Unfortunately, it would appear that Raw has also been promoting something else in quite an “unfiltered” fashion: users’ data.

TechCrunch reports that due to a lack of basic digital security protections, Raw was accidentally leaving users’ personal information open to public inspection. Indeed, prior to this week, anyone with a web browser would have been able to access detailed app user information, including their date of birth, display names, sexual preferences, and quite specific “street-level” location data.

TechCrunch says it discovered the security deficiencies during a brief test of the company’s app. Raw was downloaded onto a virtualized Android device, and then TC staffers used a network monitoring tool to observe the data being transmitted to and from the app. The analysis showed that the personal data was not being protected with any sort of authentication barrier. TC says it discovered the problem within the first “few minutes” of using the app. TC also notes that, while Raw claims to protect users with end-to-end encryption, it found no evidence that E2EE was present. They break down the security loophole like so:

When we first loaded the app, we found that it was pulling the user’s profile information directly from the company’s servers, but that the server was not protecting the returned data with any authentication. In practice, that meant anyone could access any other user’s private information by using a web browser to visit the web address of the exposed server — api.raw.app/users/ followed by a unique 11-digit number corresponding to another app user. Changing the digits to correspond with any other user’s 11-digit identifier returned private information from that user’s profile, including their location data. This kind of vulnerability is known as an insecure direct object reference, or IDOR, a type of bug that can allow someone to access or modify data on someone else’s server because of a lack of proper security checks on the user accessing the data.

Gizmodo reached out to Raw for more information. According to statements made to TechCrunch, the security issues have been patched as of Wednesday. “All previously exposed endpoints have been secured, and we’ve implemented additional safeguards to prevent similar issues in the future,” Marina Anderson, the co-founder of Raw dating app, told the outlet.

It’s not uncommon for companies to poorly secure user data. Strange as it may sound, security is not a particularly huge priority in the software industry. It can be time-consuming, expensive, and may slow down other parts of production, so many companies simply don’t bother with it. With a dating app, however—a business which is dedicated to handling users’ most intimate (literally) and sensitive data—it obviously pays to spend a little bit more time locking stuff down. As they say: wrap it before you tap it.