Over 260,000 dating app account records and 340 gigabytes of images and private chat logs were left open to the public on an Amazon Web Services S3 storage bucket. Impacted was the dating service 419 Dating - Chat & Flirt, developed by Siling App based in Hong Kong.
Exposed data included names, email addresses, geolocation data for mostly United States and Canadian customers. Also exposed was private user messages and chat logs, audio files and profile images and pictures shared privately between users. In all, security researchers said the 340 gigabytes of data included 2,357,896 files and 600 compressed server logs.
A review of just one of the 600 server logs revealed over 260,000 user account email addresses tied to Gmail, Yahoo Mail and iCloud Mail accounts. Additional email addresses were also left exposed, however the Google, Yahoo and Apple email accounts represent the majority of all users of the service, according to independent researcher Jeremiah Fowler, co-founder of Security Discovery, who made the discovery. The report of his findings were published by vpnMentor on Monday.
In a SC Media news exclusive, Fowler said the data was found accessible via the public internet in April 2023. He disclosed the instance of vulnerable data to the app developer Siling App and within weeks the misconfigured server was secured.
Fowler said it is unclear how long the data was exposed or if a third party gained access to the cache of highly sensitive images, chat histories and server logs.
“Data was easily cross referenceable allowing me to tie together usernames, email addresses, images, chat logs, messages and specific geographic locations,” he said. In other words, the true identities and addresses of users, even if they were using pseudonyms, were easy to establish, he said. “The volumes of adult content exposed raise serious risks. In the wrong hands this data could open a user to extortion attacks, social engineering scams and harmful privacy violations.”
App store vanishing act
Soon after Fowler’s discovery of the 419 Dating - Chat & Flirt data the app was removed from the Google Play marketplace and Apple’s App Store. The company, which lists its headquarters in Hong Kong, did not respond to Fowler's disclosure notification. Instead, the app vanished from Apple's App Store and the Google Play marketplace.
“We have no way of knowing if malicious actors gained access,” Fowler said. He added exposed data has not surfaced on illicit hacker forums he has reviewed. “At this point there is no indication the data has made it to the usual underground markets,” he said.
The Android version of 419 Dating is still widely available on third-party Android app stores. The app follows the freemium model, allowing users to sign up for free and then users are enticed to upgrade features for a fee. Despite the paid upgrade option, the researcher said no user financial data was exposed.
Two other dating apps also impacted
In addition to 419 Date data exposure, development files for dating sites called Meet You - Local Dating App, developed by Enjoy Social App and the app Speed Dating App For American, developed by MyCircle Network Corp. were also exposed. In the case of these two apps, exposed data was limited to developer files and did not include personal user data.
The researcher said the other apps are likely developed by the same person or team, but he can't say for sure what the connection between the three apps are.
"These other apps claim to be separate companies, but it is possible they use the same source code and functionality to clone their product under different brand / app names to distance themselves from 419 dating," he said
Fowler said despite 419 Date advertised claims of "trusted by 50 millions", the total size of the dating service is considerably smaller. By comparison, the user base of one of the largest dating sites Match has reported 39 million unique monthly visitors, which includes 10 million paying customers. When SC Media viewed cached versions of the Google Play download page for 419 Date the number of downloads indicated “+50k”. Data from Apple’s App Store was not accessible.
A review of addresses listed as the headquarters for all three apps traced to Hong Kong with each of the addresses no more than one mile apart. SC Media requests for comment to 419 Dating were not returned. Additionally, email inquiries to Meet You - Local Dating App and Speed Dating App For American were also not returned.
Fowler told SC Media that the insecure data was likely a result of a misconfigured firewall. “Sites that share a lot of images and data across multiple device formfactors are prone to this type of problem,” he said. “It's hard to build a permission structure and you easily end up accidentally leaking data. In this case, it appears a simple firewall misconfiguration appears to have been the culprit.”
Cold shower advice for dating app enthusiasts
The larger issues tied to free dating apps published by unproven developers represents risks that users need to be aware, Fowler said.
“Free dating apps often prey on the human emotions of people wanting to communicate, sometimes anonymously,” he said. “That's what makes dating apps so much different than other apps that handle sensitive and private data like banking and health apps.” Emotions cloud judgement to the detriment of personal privacy considerations.
He advises users of any free app to consider how their user data could be accidently leaked, misused and turned into phishing fodder for threat actors. Similarly, developers with malicious intent can easily use free apps as data harvesting honey pot traps.
The real-world risks of data exposures illustrated by the Android version of 419 Dating - Chat & Flirt included device permissions: network access availability, use of the phone’s camera, the ability to read and write data to the handset’s external storage and in-app billing features.
“Any application developer that collects and stores the data of its users is generally expected to have an obligation to protect sensitive information,” Fowler said.