3Fun, dating app for threesomes, was hacked; multiple users blackmailed

Currently there is a mobile app related to any need, service or hobby, even to arrange sexual encounters with complete strangers. However, like any online service, such applications are exposed to the interest of threat actors, which could compromise some users’ information and even expose aspects of their personal lives, say web application security experts.

One of the most recent cases is that of 3Fun, described by its developers as “an ideal dating app for curious couples and singles”. It is a service for over 18s that currently has more than 1.5 million users worldwide, according to the data of the creators.

While 3Fun developers argue that the app has the best privacy protections, such as the use of private photo albums, web application security specialists at Pen Test Partners claim otherwise. A study conducted by this firm mentions that 3Fun is probably the worst dating app in terms of information security.

This privacy failure, in addition to exposing users’ real-time location (no matter where they are), came to leak out sensitive data such as dates of birth, sexual preferences, in-app conversation history, and private photos.

According to web application security specialists, the leakage of location data from users of this kind of apps is due to a technique known as ‘trilateration’. This attack involves falsifying GPS coordinates and abusing some features of these apps to determine the location of users. However, this research highlights that, in the case of 3Fun, hackers do not require performing such sophisticated tasks, as the app itself is insecure and leaks users’ sensitive details.

In other words, no software is required to calculate a location from the distance between targets. “The latitude and longitude of users is available to anyone who knows where to look for this data”, the experts add.

Although users can restrict the exposure of their location data in the app’s settings menu, this data is sent to 3Fun servers using a GET request, so it is fully exposed to any data lurker. “The leaking occurs on the client side, so this data can be queried in the API to determine the position of the target”. Specialists included a demonstration of how to access a user’s exact location using this method.

While this technique may be fun for some leisure activities, web application security experts at the International Institute for Cyber Security (IICS) say that, in combination with leaked user data, such as the name or date of some malicious activities, such as harassment or extortion, may be made possible, not to mention that users’ private photos are also available through the API.

Although this investigation has already concluded, experts say it is highly likely to find more security vulnerabilities in this app.

Even when the developers were notified about these flaws more than a month ago, their response was unsatisfactory, as they only responded with a message: “Thank you for your kind notification. The problem will be solved shortly. If you have another suggestion, we’ll listen to it, salutes”.

Despite the multiple flaws in the app, after receiving some advice from the experts, the developers fixed these flaws a couple days after.

Originally published at https://www.securitynewspaper.com on August 9, 2019.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store