A security lapse at the dating app Raw exposed users’ personal and location data, according to TechCrunch. The exposed information included users’ display names, birthdates, dating and sexual preferences, and precise location coordinates.
Raw, launched in 2023, claims to provide more authentic interactions by requiring daily selfie uploads from users. While the exact number of users is undisclosed, the app has over 500,000 downloads on Google Play.
The security issue emerged the same week Raw announced a hardware extension, the Raw Ring, which is intended to track a partner’s heart rate and other data for AI insights, potentially detecting infidelity. Despite privacy concerns, Raw asserts its app and device use end-to-end encryption to protect users’ data.
TechCrunch’s testing found no evidence of end-to-end encryption, instead revealing a public data spill accessible to web users. Raw resolved the issue swiftly after TechCrunch notified them. Marina Anderson, Raw’s co-founder, confirmed that additional security measures are in place but indicated no third-party security audit had been conducted. Affected users will not be proactively informed, but a report will be submitted to data protection authorities.
The duration of the data exposure is unclear as investigations continue. Anderson stated that Raw uses encryption in transit and is reviewing its security protocols.
During testing, TechCrunch discovered the vulnerability using a virtual Android device. The app exposed user data due to a lack of authentication, a vulnerability known as an insecure direct object reference (IDOR). This allows unwanted access to user data, akin to having a universal key that opens all mailboxes on a street.
Following the fix, the affected server no longer publicly reveals user data.
