Hacker News: Feeld dating app – Your nudes and data were publicly available

Source URL: https://fortbridge.co.uk/research/feeld-dating-app-nudes-data-publicly-available/
Source: Hacker News
Title: Feeld dating app – Your nudes and data were publicly available

Feedly Summary: Comments

AI Summary and Description: Yes

**Summary:**
This detailed analysis uncovers significant security vulnerabilities in the Feeld dating mobile application, resembling the notorious issues highlighted within the OWASP Top 10 list, primarily under ‘Broken Access Control.’ The findings emphasize critical areas of concern for security professionals focused on mobile app security and back-end controls, revealing how attackers can exploit unauthenticated access to sensitive user information and actions.

**Detailed Description:**
The text outlines a comprehensive penetration testing exercise conducted on the Feeld mobile application, focusing on its security controls and pinpointing numerous vulnerabilities. The review indicates that many of the exploits stem from inadequate access controls, specifically classified under “Broken Access Control” by OWASP, which poses significant risks to user privacy and application integrity.

**Key Vulnerabilities Identified:**
1. **Disclosure of Profile Information to Non-Premium Users:**
– Basic users can access premium user data via intercepted requests using proxy tools, blurring the lines of user subscription hierarchy.

2. **Reading Other People’s Messages:**
– An attacker can extract the `streamUserId` of a target profile and access chat messages, which should be exclusive to the intended recipient.

3. **Unauthenticated Access to Attachments:**
– Attackers can retrieve photos and videos shared in chats, compromising user privacy through unauthorized access.

4. **Editing and Deleting Messages for Others:**
– Attackers can alter or remove messages sent by other users, potentially leading to misinformation and manipulation.

5. **Updating Someone Else’s Profile Information:**
– Users can modify the profiles of other individuals without permission, leading to identity misrepresentation.

6. **Sending Messages in Other People’s Chats:**
– An attacker can post messages in chats where they are not participants, creating confusion about the message origin.

7. **Viewing Other Users’ Matches:**
– Attackers can discover the matches of other users, revealing sensitive relationship data.

**Insights for Security Professionals:**
– **Implementing Robust Security Controls:** The vulnerabilities illuminated by this research pinpoint the urgent need for stringent backend security practices to prevent unauthorized data access.

– **Regular Security Audits:** Continuous engagement in penetration testing and security reviews can flag vulnerabilities before malicious actors exploit them, enhancing the overall security posture of mobile applications.

– **Role-Based Access Control (RBAC):** The necessity for a well-defined RBAC system is critical in safeguarding user data, ensuring that access levels correspond accurately to user roles and subscriptions.

– **User Education:** Users should be educated on security features within the application to understand the implications of unauthorized access and potential user actions that could compromise security.

In conclusion, the revelations from testing Feeld depict a broader need for vigilance in mobile application security, particularly for platforms that involve personal data sharing, where a single vulnerability could significantly impact user trust and safety.