In short: A dating application called DonaldDaters launched earlier this week and has already suffered a serious security breach according to a message from the CEO posted to the service's website. The company says that the breach was due to a lack of appropriate security measures specifically on DonaldDaters's chat feature. Although no figures are noted with regard to how many users may have been affected, that vulnerability could have allowed bad actors to impersonate users and engage in chats with other users. Chat services, which are maintained by a third-party developer, have now been suspended in order to implement new security protocols in partnership with an independent cybersecurity firm.
Background: DonaldDaters was initially launched this week to help supporters of the 45th US President to get a date without "bias, judgement, or liberal intolerance," following an alleged wave of ridicule on traditional dating sites. Like many other apps in the category, the service is free to use and features algorithmic matchmaking, private chats, and a swipe mechanism to conveniently sift through potential meetups. Although the company maintains that no emails, phone numbers, credit card, or 'fully identifiable' information were accessed during the breach, at least one Twitter thread from French security researcher Elliot Alderson appears to indicate that isn't quite the case. Mr. Alderson took to the social network to alert users about the dangers of using the application after he reportedly discovered an "assets" file in the app while digging around on the basis of suspicious permissions requirements. That file appears to have contained all users' names, avatar photos, platform, and even a token to access all private messages and more. All of that, Mr. Alderson claims, would have been visible to anybody with a rudimentary understanding of Android's manifest files and the Firebase Database platform in use by the application. The researcher also shared several images claimed to be of DonaldDaters users to validate the claims.
Impact: Since DonaldDaters is still a relatively new application, there shouldn't be too many users that might have been impacted by the security vulnerability yet. However, it also appears as though the problem extends well beyond a third-party chat feature bug since Mr. Alderson was able to gain all of that information simply by downloading the application and extracting a file. For now, the company plans to move forward with better security in place but is advising users who might be concerned or have questions about the breach to contact the DonaldDaters support team.
You should not use this app. In 5 minutes, I managed to get:
- the list of all the people registered
- personal messages
- token to steal their session
Thread ⬇️ https://t.co/72KdNJTrmk
— Elliot Alderson (@fs0c131y) October 15, 2018