I’ve reported a bug like this in an application that deals with a similarly sensitive topic— They managed to call me back in 30 minutes (I never gave them my number) and had it fixed in a few hours.
I did contact them via every medium I could find, not just email. Obviously, the response these folks got from the company should have told them they were talking to the wrong person, and they should have been more vigilant in attempting to contact the right person.
I contacted similar Finnish based application about similar issues, where almost everything, including all the user images could have been collected from the json api end point.
Their response was that it is not bad system or insecure because the information is only available for logged users. So the api just needs authentication header.
So all the user data could have been easily collected to own database using simple script.
Does it expose any sort of "device id"? Such ids are usually asked for by advertisers and iOS and Android gladly give it to them. I'm sure there are device-id to phone-number maps out there, and anyone with money can get access to them.
Consider _any_ app you've linked your email and phone number to, could (in theory) sell access to your data to any other company that only has your email, and they have both. Or (as another commentor noted) the great many apps that upload your (friends) entire contact list. Consider all the id's, fingerprinting techniques (etc) out there, juxtaposed against the high value that information has (in marketing / ad space) and it seems likely there are many ways to get this information, whether or not you provided it.
An early stage company doesn’t have much to pay you with, but they’re thankful for the help.
From my perspective, protecting the data of 10k users was just as important as— or more important than— protecting the data of 1.5m users.
I feel bad when people assume negative intent. I don’t think anyone at this company wanted to violate the privacy of their users— they just didn’t get the message through the right channels.
One line of reasoning is that the everyone will know about companies leaking data of millions, so they can take steps to mitigate, whereas probably no one will know about a leak like this and just live unaware
1) early users feel the most connected with your technology and are the most hurt when you screw them over. At that stage, it can sink your company.
2) fixing this when you have 10k users prevents you from leaking the data of the next 1.49m users.
Generally boils down to whether or not the company has some kind of bug bounty program. If they do and it’s in scope, you will probably get paid...in this case likely $1-5k.
Smaller companies that don’t have a bug bounty might provide a token reward just because, larger companies generally won’t.
Any company that hasn’t explicitly authorized ‘research’ might also choose to sue.
At a certain point I think we'll arrive at the collective realization that we all have digital skeletons in our closet. When we all stink, nobody stinks.
That is basically the middle of London. I expect hundreds of thousands of people pass through the area in the screenshot every day. The density of people there is so high that the location really can't be linked to anyone specific. Plus it is real time location so you can't distinguish if this is a person's home, someone at work, someone checking the app while sitting on a bus, etc. This location data would be much more dangerous if it was showing the manually entered addresses of users, a screenshot of an area with a low density of people, or if you had constant access and could identify patterns of locations to identify individuals.
To be devil's advocate, since London is coated with CCTV some bad actor (think state or organisation with access to said CCTV) here could probably combine the location timestampw with CCTV images and identify people.
I am sure some civil servent could argue that know if people in "positions of power" were using suchs apps that opened them up bo blackmail and that they should be therefore checked as aprecaution.
If you've ever had a crime committed against you in London you'll know just how useless the CCTV can be. The quality is often so bad you can't really get anything useful from it, and in many cases the camera isn't even on/working/recording to anything.
I had my bike nicked a few weeks ago in London. Turns out the council installed new HD/4K cameras that very morning right where I left it - they managed to ID and arrest the perp, and charge him with multiple other thefts too.
So it looks like the crappy cctv is getting an upgrade
At this moment it might be a concern, but in another 20-30 years (especially as organized religion fades in some countries) people will stop seeing sex as a shameful thing.
Privacy is important, however, so apps/services should not leak this kind of info. That's still a thing regardless of what the repercussions of leaked data could mean.
No state organization has access to all that CCTV. Most of them are private cameras, and most are not networked. Some of the local authorities in central London do have networked cameras facing the streets, but it's not nearly as bad as you're suggesting.
The users' data is far more secure as a result of Pen Test Partners' actions. So there's a dot on a map within a block or two of your downtown apartment, indicating that somebody in the area is freaky. As opposed to a public API leaking your location, birthdate, orientation, kinks, and nudes.
all of this makes me wonder when - not if - there's going to be House of Cards style blackmail + intrigue when it comes to leveraging data leaks like these over politicians or influential people.
"vote for this or we expose your $recent_embarrassing_breach data" is quite a powerful ultimatum, no? and the only way to win is not to play (e.g. never download + use a potentially embarrassing app), and we know that many aren't so digitally savvy, so this seems like a gold mine for nefarious uses.
i dunno, maybe it's too tin foily but it feels inevitable.
Although I heard they targeted a personal phone, I don't think it makes that much difference. Computers are insecure in all sorts of ways, whether it's your own phone or somebody's servers.
In that case they were trying to blackmail him into making some public statement, with pretty high stakes as far as I remember.
And it appears Jeffrey Epstein may have been using compromising information as blackmail the rich and powerful then laundered the money through a fraudulent hedge fund operation.
Maybe Epstein never actually needed to blackmail anyone? Maybe they were just happy to be sold tickets on the Lolita Express? I’m sure he kept some blackmail material regardless, which will soon be revealed.
Bezos' investigator Gavin De Becker claims that the Saudis hacked the phone. National Enquirer already knew about the affair when they contacted the brother.
It’s well known that the FBI had dossiers on political opponents that were used to silence them, or attempt to silence them (Daniel Ellsberg, Martin Luther King). What you’re proposing would merely be the same concept with a different leverage mechanism. I’m sure private interests would also have the same ideas.
You're right, and that's where the parallel I offered kind of breaks down: the digital-domain hacks can scale much more readily than the older ones could, and even at the targeted level, digital information-gathering may be less risky.
If there's anybody that actually thinks that conspiratorial, consider two mutually exclusive options, one of which must be true:
1) Companies collecting massive amounts of data will only use the data in a lawful and ethical fashion, even in cases where they perceive there to be a potential for significant gain in misuse.
2) Companies collecting massive amounts of data will, sooner or later, use that data in an unlawful or unethical fashion to exploit others in a way that stands to potentially significantly boost their power/influence/wealth.
I'm going a far step above beyond and suggesting the exploitation will come, not from leaks, but directly from the data harvesting companies. The reason is simple. Again, the two scenarios above are mutually exclusive and one must be true. So what would you place the probability weighting as? I think most of everybody would agree that the probability of #2 is very near 100%. It's also possible that it is literally 100%, in that it has already happened but we don't know about it. Truly effective blackmail would obviously not be headline news.
It'a plausible but not very probable, at least as far as policy positions are concerned. With the current campaign financing laws, there are legal ways to coerce politicians into voting a certain way. It's more risky to blackmail them.
He was very anti Trump and then later pro Trump. Though it's not clear it's a result of coercion or anything other than Graham capitulating to work to get stuff done
After this latest spiral down in the degradation of politics I feel like that kind of information would nearly be a badge of honor. When your highest seat of the government does pr0n stars, well, the bar is pretty low.
You've probably got the direction of causation backwards.
People who want lots of sexual partners seek ways to get that. Many people are attracted to the powerful. So people who can't stand to keep it in their pants are more likely to seek positions of power.
>Not sure what it is about politics and/or power that somehow makes it so difficult to keep it in your pants.
Sexual aggression has been a virtue signal of male power and status since the days when kings compared the size of their slave harems. Modern men have been taught through all forms of commercial media that their value as people is directly proportional to the amount of casual sex they have. Culturally, power and sex have always been linked.
When Trump said he could just grab women by the pussy and get away with it, of course, he was right. At that level of privilege one often doesn't need to keep it in their pants. Propriety and chastity are for lesser men to whom legal and social consequences can be applied.
Two steps forward, one step back, unfortunately. It's difficult to make progress when rape culture is a billion dollar industry and we're in the midst of an anti-progressive social backlash. At least every now and then a Bill Cosby or Harvey Weinstein gets raked over the coals.
Maybe it's simply due to the existence of social media and an actual positive effect of "outrage culture" but a few decades ago such people would have been all but untouchable.
I think most people who are concerned are bothered by the non-consensual activity. The people most likely to make public complaints about marital infidelity only do so for their political opponents and and voted for him by something like 90%.
Do regular people care with their words or with their votes? Because if it just words then how much care is there? As Mitch McConnell's office has stated recently, "Boys will be boys."
Isn't that an informal assessment of American culture?
Certainly not of corporate culture. People get fired for stuff like that all the time. Johnah Friedland said the n-word and had to step down from Netflix and he didn't even use it in a racist context. He only said the word as he listed offensive words.
Weird sex stuff can certainly be used to affect people in powerful corporate positions.
you can also win by presenting a public persona that is slightly degenerate/shambolic, so such an embarrassment will only add to your appeal in your support base...
I actually worry more about the other threat implied by your use of dynamically inserting kompromat in a message.
Imagine sending emails like that at scale in key voting districts. Sure it would get shut down. Substantial, irrevocable damage could still be done in the form of voter suppression.
You mean it would get shut down if done officially? Otherwise, I don't really see an option of shutting it down once the emails are underway. I doubt that providers will manually kill emails from their users' mailboxes, even if they were allowed to.
One thing rarely discussed with a Gmail hack is that it isn't just email, it's location history, search history, backed-up photos, app store history (on Android) AND browsing history. With that data almost anyone could be a blackmail target.
I don't think you're far off. Plus, who knows how long the bad guys had to harvest this stuff prior to the good guys finding it. Or I wouldn't put it past some foreign hacker agency or even the NSA from scooping it up for a rainy day.
At some point, I think the public will just stop caring. American society has already reached that level in some ways. I can't imagine the President's supporters caring about anything bad he's ever done.
well, black mirror ( the TV series ) has played with this topic. It has already played out in some ways where there's been stories of people being manipulated because they get compromising video by hijacking peoples cams then they leverage that to get more. So, there is a good possibility it's playing out involving people of influence
It wouldn't matter if we weren't so uptight about sex (thanks, christianity!) Granted what goes on behind your doors may not be what I want to see, but it should not cost you much more than a red face and some banter down the pub if it comes out. And perhaps not even that. Sex is sex, let's chill out about it.
This is the best explanation available for why the "black budget" grows ever larger. Who would dare vote against that? Maybe an angel? Maybe someone so obviously corrupt and disgusting that additional proof of those qualities wouldn't surprise any voter.... hmmmm.
Isn't the problem hypocrisy rather than group sex? You can perfectly legally have group sex in the UK (if all participants are legally consenting), the people most likely to object are those who think they're in a trusting monogamous/monoandrous relationship with one of the participants.
The primary reasons people can be blackmailed seem to be because they've not been forthright, or, they themselves perceive it as wrong.
I'd extend that to hypocrisy and/or dishonesty, and yes those are valid objections (IMO the only ones), but my problem is the apparent view that the act alone is socially reprehensible, not the secondary issues of being two-faced, or going behind your partner's back without their knowledge.
So yes I completely agree with you, once those 2 issues have been teased apart. The GP comment with "obviously corrupt and disgusting" was objectionable. TBF looking at other comments I see little or none of that.
All it takes is staff or interns to compromise an entire political campaign. Just because they aren't the primary candidate doesn't mean they don't have access via blackmail to the information someone is looking for. It really is a huge security nightmare with people that have a candidate's calendar or even access to a candidate's email. Also, in terms of Trump possibly being compromised. Google Jeffrey Epstein.
To be clear, I do not have any illusory perception of the personal morality of Trump, it's just that location data isn't enough to really tie anyone to any official or important person. You can just claim it was an intern even if it was the politician was the user and fire the intern. My point is it's not as potentially damaging as say actual evidence of scandalous behavior is.
For example, there was the comedic Ted Cruz twitter scandal in which his account liked a pornhub video featuring incest play. He claimed it was a staff mistake and moved on.
Maybe I didn't have enough coffee yet today, or maybe I'm just missing something entirely, but.... this whole report talks about how the web API leaks user data, right? Yet all I see in their examples are HTTPS requests. Doesn't that require that somebody already infiltrated either a client device (scope limited to single client), or a central server? How did they man-in-the-middle/decrypt this HTTPS traffic?
True, if a web cache (not under exclusive control of the company) can be queried for this data by a 3rd party, it sure is a big problem. But that is rather an operational fuck-up more than it is a fundamental design flaw.
How did these pen testers get access to server requests, inside the HTTPS traffic with 3fun's servers? I'm curious how they got access to this info. I'm also curious why nobody else appears to be asking that question. Did I read the article too quickly and miss something that explains how they did that?
The data they are examining was meant so the app knows how many people are "in your area" .. but instead of just giving you some vague information, it's giving you the exact coordinates of other users, and identifying info about them.
Really, one could argue it's not even "leaking" data about other users, it's just delivering that data to you per your request. "Leak" kind of implies at least disclosing info about other users was not your intention, whereas this seems more like "Delivering".
> "Leak" kind of implies at least disclosing info about other users was not your intention
That's the whole point - it's not uncommon for (very) junior programmers to not understand the difference between client and server-side validation. This is absolutely a leak.
> How did they man-in-the-middle this HTTPS traffic?
The easiest way would be to use a HTTPS debugging proxy like Charles.
But really, since the testers control the client device, they can do whatever they want.
The problem is that 3fun trusts the client to keep other users data private. This is pretty obviously a bad idea, since attackers can modify the client in pretty much any way they like.
They are using Burp to proxy the HTTP requests. Assuming there's no proper CA validation on the client side or client certificates, it's quite trivial.
I made the mistake of assuming that the web API would only give access to data related to a specific client device (thus only "leaking" info about that client).
If their web API gives access to info of other clients, that is indeed a serious design fuck-up.
I don't know how this was done, but traffic could presumably be intercepted by using a proxy and installing the certificate for the proxy on the device - you have a secure connection from the app to the proxy and a separate secure connection from the proxy to the servers but the proxy gets to see all traffic in the clear.
Isn't ~35 days very short for a responsible disclosure timeline? This is extremely sensitive info and from the blog post it sounds like they didn't even warn the company that they were planning to disclose it.
edit: didn't notice the article does mention the problem was fixed before publishing, although they don't say how well it was fixed
I’m just waiting for the day when Tinder is down in popularity, security fixes are a bit more lackadaisical and a zero-day exposes a decade of personal preferences of a large share of the population, not unlike a nuclear waste leak. Imagine the awkwardness when a coworker finds out you swiped them left (or right).
And no, I am not going to end this with a paternalistic or moralistic statement.
I certainly chuckled at the combination of the title and the domain the article is hosted at. pentestpartners sounds like it could be the name of a group sex app...
I know you’re joking but I think it’s a big problem in a lot of these very private apps that don’t get a lot of security attention before they’re released. Lovense, for example, is a pretty popular smart toy brand that has a bit of a history of security & privacy issues. Both device hacking[1] and sketchy data collection[2].
I don’t know if it’s because they’re less secure than their competitors or because they’re a bigger brand so their security is looked at more often. I suspect they have terrible security but are probably a lot more secure than their smaller competitors.
I've long maintained that the only reason that "router", against all convention, is pronounced "rouw-ter", is that nobody is going to stand at the front of a lecture hall or meeting room and discuss a piece of hardware called a "rooter".
Reminds me of a similar submission a while ago: https://news.ycombinator.com/item?id=18029078 Shame that they transmit sensitive information like that in a URL param in a plaintext.
I agree that the ineffective privacy setting is broken, but I feel like an app which has as part of its functionality finding users near you, naturally needs to tell others your location, and vice-versa. I assume any app which asks for GPS permissions is going to phone home with your location.
"There's someone within a mile of you" and "here's their coordinates down to ~30 feet, and their supposedly private photo, and their birthday" are very different bits of info.
The assertion being people who want to have threesomes are less likely to have children?
I suppose that could be the case, however I am fairly unconvinced that this has any real affect on the population in comparison to the cost of having a child coupled with the rise of understanding the costs involved with having a child.
In the Western world and Asia, fertility is below replacement world, and in the Western world, the fraction of children born out of wedlock, who do worse than children of married couples by any measure, is rising. So I think working on something like eHarmony is much more moral than the app discussed in this thread.
I did contact them via every medium I could find, not just email. Obviously, the response these folks got from the company should have told them they were talking to the wrong person, and they should have been more vigilant in attempting to contact the right person.