Group sex app 3fun has leaked the personal details, photos and locations of its 1.5 million users – including some in Downing Street and the White House.
Cyber security firm Pen Test Partners claims the app, which is used for arranging threesomes, exposes the near real-time location of any user.
It also reveals their date of birth, sexual preferences, chat data and pictures – even if they are set to private.
The company described the app as a "privacy train wreck", claiming that relationships and careers could be ended through this data being exposed.
"Several dating apps including grindr have had user location disclosure issues before, through what is known as 'trilateration'," Pen Test labs said in a blog post .
"This is where one takes advantage of the ‘distance from me’ feature in an app and fools it. By spoofing your GPS position and looking at the distances from the user, we get an exact position.
"But, 3fun is different. It just 'leaks' your position to the mobile app. It's a whole order of magnitude less secure."
The security researchers were able to track the location of users in London and Washington, right down to the house and building level.
Users were detected in the White House, the US Supreme Court and Number 10 Downing Street – although the researchers admit it is technically possible for users to spoof their position.
As birth dates and and private photos are also exposed in the leaked data, the researchers claim it would be fairly easy to work out the exact identity of the user, based on their location.
"This data can be used to stalk users in near real-time, expose their private activities and worse," they said.
Pen Test Partners contacted 3fun about the security issues on 1 July and asked them to fix the security flaws.
Luckily, 3fun took action fairly quickly, and has now resolved the problem.
Source: Read Full Article