Vulnerabilities in the Feeld dating app

285 点作者 notmine13378 个月前

21 条评论

Cu3PO428 个月前

It seems like they implemented permission checks purely in the frontend, and not just on one endpoint, but almost everywhere.While it is conceptually easy to avoid this, I have seen similar mistakes much more frequently than I would like to admit.Edit: the solution "check all permissions on the backend" reminds me of the solution to buffer overflows: "just add bounds checks everywhere". It's clear to the community at large what needs to be done, but getting everyone to apply this consistently is... not so easy.

评论 #41518117 未加载

评论 #41517857 未加载

评论 #41518805 未加载

评论 #41518740 未加载

评论 #41527452 未加载

评论 #41518195 未加载

tgv8 个月前

And that’s a very good reason never to fill in exact personal data, e.g. date of birth. Especially dating apps seem to need them, but don’t do it. Fill in something within a year or so from your real birthday.And while this dating app isn’t well known, it caters to people with different tastes (such as bdsm and group sex) and queer people. Needless to say that this is very sensitive in many parts of the world.

intothemild8 个月前

They were in the press a lot this week, but for earning money.<a href="https://www.theguardian.com/technology/article/2024/sep/08/throuples-dating-app-feeld-nearly-doubles-turnover-to-395m" rel="nofollow">https://www.theguardian.com/technology/article/2024/sep/08/t...</a>

评论 #41518330 未加载

评论 #41519271 未加载

throwuxiytayq8 个月前

Criminal negligence levels of failure, especially given the category of app.

评论 #41518054 未加载

评论 #41517627 未加载

elric8 个月前

The online dating space (I use the term liberally) is a huge fucking mess. There's only 2 or 3 companies with an offering that is anywhere near useful, and they're either evil, incompetent, or both.Maybe it's time for an open source federated dating service or something. Or at least something that doesn't sell your data, doesn't leak your nudes, or doesn't get you beaten up/raped/murdered. Probably easier said than done.

评论 #41520733 未加载

评论 #41528304 未加载

greybox8 个月前

This is utterly horrifying, clearly absolutely zero thought was put into security at all.I'm a game developer and we put more effort into keeping our game fair than this company does in keeping it's users safe. They should be sued into oblivion.

评论 #41519265 未加载

评论 #41525166 未加载

marcus_holmes8 个月前

Hot take: this is a problem with GraphQL.GraphQL allows your front-end to query your data. Which is cool. But from the backend this is all really opaque (and usually implemented by a 3rd party library that has no idea about your access control).Unless you're going to implement your access control in the database itself (not the worst idea, certainly better than doing it in the front end), then it's very hard to unwrap the GraphQL query in backend code to work out exactly what records should be returned/restricted.Implementing decent access control in the backend means understanding the query and implementing a whole set of models/classes/functions/whatever that grok the database schema and can make decisions about "if the user_id is XXX then it can/cannot see this image in this context" [0]. They obviously implemented this in the front end because that's a lot easier with GraphQL.I'm not saying this is a good implementation of GraphQL and that therefore the problem lies with GraphQL exclusively. I'm saying that GraphQL makes this mistake easier to make because it explicitly tries to remove the need for the backend to understand the query and so makes this kind of complex security situation harder.[0] e.g. a specific image may be publicly accessible from the user's profile, or only available to matches, or only in a chat context (but not group chats), and inaccessible at any time from blocked users, etc. You can easily come up with a bunch of complex edge cases for just this one case.

评论 #41518191 未加载

评论 #41518731 未加载

评论 #41518448 未加载

评论 #41518392 未加载

egamirorrim8 个月前

Wow. Remarkably responsible, and compassionate, disclosure.

评论 #41518696 未加载

评论 #41518286 未加载

Coolbeanstoo8 个月前

I'm not terribly surprised. I use it but would describe it as incompetently put together as my bank app? maybe worse, it barley functions at all. I dont know how they managed it.

评论 #41518579 未加载

评论 #41521336 未加载

0xbadcafebee8 个月前

I am honestly amazed that these researchers held off for as long as they did on publishing. If crappy startups are given 6 months to close egregiously bad privacy holes like this, they will continue to abuse the privilege they have in collecting this information to begin with. I say give them 2 months and then release. Fuckers need to learn not to play dice with people's private information.

评论 #41518114 未加载

fire_lake8 个月前

God damn it. People deserve better than this. Almost inclined to take a pay cut to go and fix this mess.

评论 #41518091 未加载

评论 #41519574 未加载

Ekaros8 个月前

Saddest part is that this sort of stuff or at least not proper authorization checks is very common. I do not really know what is the solution at this point. Clearly not enough developers care. Or can stop it...Is it education problem? If so if there was training budget a day or two running against some simple capture the flag exercise might do a lot...

bogdan_t8 个月前

Easy to understand explanation: <a href="https://www.instagram.com/p/C_-8CdRpo86/" rel="nofollow">https://www.instagram.com/p/C_-8CdRpo86/</a>The Guardian article: <a href="https://www.theguardian.com/business/2024/sep/17/dating-app-feeld-personal-data-cybersecurity" rel="nofollow">https://www.theguardian.com/business/2024/sep/17/dating-app-...</a>

wasma8 个月前

Who do you trust? Would tinder and bumble have the same mindset?

评论 #41518738 未加载

评论 #41518722 未加载

zx80808 个月前

It's hard to expect any improvement while the personal data insecurity is tolerated without any penalty or fines.

throwaway-xdfef8 个月前

(This is a throwaway account but I've been on HN for a decade)I just read this and attempted to delete mine and my partners profile data. The process is currently totally broken in-app. There is no way to proceed past a certain point. There's nothing self-identifying about us in the app but still.... I'm furious.

评论 #41524618 未加载

a0918 个月前

interesting read - anyone have pointers to other app pentesting walk throughs like this?

评论 #41517747 未加载

评论 #41518076 未加载

评论 #41517757 未加载

Klonoar8 个月前

Anybody who's ever used this app is probably not surprised to hear this. It's been a shitshow since day one, one of the buggiest apps I think I've ever used.Even with a full redesign/rebuild over the past year it still is nothing but glitchy software.

stef258 个月前

> View other people’s matches"BRB going to slaughter everyone my wife has chatted to"Hard to believe the levels of incompetence hereThey have investor funding ... how come no due diligence was done ?

mikkelam8 个月前

This is pretty funny. I've been abusing this shitty API for a while to see who likes me in this dating app.I didn't realise the problems were this bad. They've had massive issues with their tech stack from a user POV. I've multiple times had my phone running incredibly hot while using it.

评论 #41524580 未加载

Throwaway1231298 个月前

Useful context is that they completely redid the app from scratch in 2023 using a contractor instead of in house developers and the launch was not very smooth<a href="https://mashable.com/article/feeld-app-down" rel="nofollow">https://mashable.com/article/feeld-app-down</a>