In a highly disturbing violation of user trust, the dating app Raw was discovered to have made sensitive user data such as exact location information, dating interests, and other identifying data publicly accessible due to a severe security vulnerability. TechCrunch’s Zack Whittaker discovered and reported the vulnerability, which sheds light on the app’s lax data protection practices despite its claims of end-to-end encryption.
Launched in 2023, promising to foster “genuine” connections through daily selfie uploads, Raw has attracted over 500,000 Android downloads. However, behind the glossy interface, TechCrunch’s investigative probe revealed that the app inadvertently leaked data to the open web with alarming granularity.
The exposed dataset included users’ display names, birthdates, sexual orientations, and location coordinates detailed enough to pinpoint individuals to street-level accuracy. These data were accessible without authentication via a publicly reachable server endpoint. Simply iterating user IDs in the app’s URL could yield private data from multiple accounts a classic case of an Insecure Direct Object Reference (IDOR) flaw.
Dating App RAW: Privacy Breach Uncovered
The breach was uncovered when TechCrunch analysts tested the app using a dummy account on a virtualized Android device. A routine network traffic analysis revealed that instead of encrypted data flow, the app openly transmitted user information a direct contradiction of its advertised privacy safeguards.
Upon being alerted, Raw’s co-founder Marina Anderson confirmed the exposure and stated that the affected endpoints were swiftly secured.
“We’ve implemented additional safeguards to prevent similar issues in the future,” Anderson wrote in an email to TechCrunch. However, she admitted that the app had never undergone a third-party security audit.
Crucially, the company has not committed to proactively informing users whose data may have been compromised. While a report will be submitted to regulatory authorities under relevant data protection laws, many unanswered questions remain chiefly, how long the data leak persisted and whether the privacy policy will be updated.
Cybersecurity experts have long warned about the risks associated with IDOR vulnerabilities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reiterated in a 2023 advisory that apps must enforce robust authentication and authorisation controls, especially when handling personally identifiable information.
The timing of the breach is also significant. The news of the breach came at the same time as Raw had announced a new wearable device the Raw Ring, which would monitor biometric information like heart rate and emotions. Billed as a device to sense cheating using AI, the wearable also raises extra ethical and privacy issues in the wake of Raw’s inability to keep its current platform safe.
In Raw’s situation, users’ most personal information exchanged with hopes of forming real connections was exposed to the open web without any protection.
As scrutiny intensifies, all eyes will now be on whether Raw can rebuild credibility, and whether regulators will impose stricter penalties to deter such lapses in the future.
Also Read: India Seeks Starlink’s Pak-Bangladesh Data Before Entry
