It seems like they implemented permission checks purely in the frontend, and not just on one endpoint, but almost everywhere.<p>While it is conceptually easy to avoid this, I have seen similar mistakes much more frequently than I would like to admit.<p>Edit: the solution "check all permissions on the backend" reminds me of the solution to buffer overflows: "just add bounds checks everywhere". It's clear to the community at large what needs to be done, but getting everyone to apply this consistently is... not so easy.
And that’s a very good reason never to fill in exact personal data, e.g. date of birth. Especially dating apps seem to need them, but don’t do it. Fill in something within a year or so from your real birthday.<p>And while this dating app isn’t well known, it caters to people with different tastes (such as bdsm and group sex) and queer people. Needless to say that this is very sensitive in many parts of the world.
They were in the press a lot this week, but for earning money.<p><a href="https://www.theguardian.com/technology/article/2024/sep/08/throuples-dating-app-feeld-nearly-doubles-turnover-to-395m" rel="nofollow">https://www.theguardian.com/technology/article/2024/sep/08/t...</a>
The online dating space (I use the term liberally) is a huge fucking mess. There's only 2 or 3 companies with an offering that is anywhere near useful, and they're either evil, incompetent, or both.<p>Maybe it's time for an open source federated dating service or something. Or at least something that doesn't sell your data, doesn't leak your nudes, or doesn't get you beaten up/raped/murdered. Probably easier said than done.
This is utterly horrifying, clearly absolutely zero thought was put into security at all.<p>I'm a game developer and we put more effort into keeping our game fair than this company does in keeping it's users safe. They should be sued into oblivion.
Hot take: this is a problem with GraphQL.<p>GraphQL allows your front-end to query your data. Which is cool. But from the backend this is all really opaque (and usually implemented by a 3rd party library that has no idea about your access control).<p>Unless you're going to implement your access control in the database itself (not the worst idea, certainly better than doing it in the front end), then it's very hard to unwrap the GraphQL query in backend code to work out exactly what records should be returned/restricted.<p>Implementing decent access control in the backend means understanding the query and implementing a whole set of models/classes/functions/whatever that grok the database schema and can make decisions about "if the user_id is XXX then it can/cannot see this image in this context" [0]. They obviously implemented this in the front end because that's a lot easier with GraphQL.<p>I'm not saying this is a good implementation of GraphQL and that therefore the problem lies with GraphQL exclusively. I'm saying that GraphQL makes this mistake easier to make because it explicitly tries to remove the need for the backend to understand the query and so makes this kind of complex security situation harder.<p>[0] e.g. a specific image may be publicly accessible from the user's profile, or only available to matches, or only in a chat context (but not group chats), and inaccessible at any time from blocked users, etc. You can easily come up with a bunch of complex edge cases for just this one case.
I'm not terribly surprised. I use it but would describe it as incompetently put together as my bank app? maybe worse, it barley functions at all. I dont know how they managed it.
I am honestly amazed that these researchers held off for as long as they did on publishing. If crappy startups are given 6 months to close egregiously bad privacy holes like this, they will continue to abuse the privilege they have in collecting this information to begin with. I say give them 2 months and then release. Fuckers need to learn not to play dice with people's private information.
Saddest part is that this sort of stuff or at least not proper authorization checks is very common. I do not really know what is the solution at this point. Clearly not enough developers care. Or can stop it...<p>Is it education problem? If so if there was training budget a day or two running against some simple capture the flag exercise might do a lot...
(This is a throwaway account but I've been on HN for a decade)<p>I just read this and attempted to delete mine and my partners profile data. The process is currently totally broken in-app. There is no way to proceed past a certain point. There's nothing self-identifying about us in the app but still.... I'm furious.
Anybody who's ever used this app is probably not surprised to hear this. It's been a shitshow since day one, one of the buggiest apps I think I've ever used.<p>Even with a full redesign/rebuild over the past year it still is nothing but glitchy software.
> View other people’s matches<p>"BRB going to slaughter everyone my wife has chatted to"<p>Hard to believe the levels of incompetence here<p>They have investor funding ... how come no due diligence was done ?
This is pretty funny. I've been abusing this shitty API for a while to see who likes me in this dating app.<p>I didn't realise the problems were this bad. They've had massive issues with their tech stack from a user POV. I've multiple times had my phone running incredibly hot while using it.
Useful context is that they completely redid the app from scratch in 2023 using a contractor instead of in house developers and the launch was not very smooth<p><a href="https://mashable.com/article/feeld-app-down" rel="nofollow">https://mashable.com/article/feeld-app-down</a>