Key Takeaways
- Feeld’s vulnerabilities allow hackers to access sensitive user information easily.
- Hackers could exploit the vulnerabilities to steal photos, messages, and even control user profiles.
- Feeld claims to have fixed the bugs, but caution is still advised.
Dating apps are a trove of deeply personal information, where folks go to meet a new partner or otherwise. Security is essential, as people share private information and personal conversations; data breaches affecting dating apps always have severe consequences.
And that’s exactly what happened to the Feeld dating app, potentially compromising the data of its millions of users through a series of vulnerabilities discovered by security research firm, Fortbridge.
What Happened to the Feeld Dating App?
Fortbridge, a penetration testing company, was tasked with extensively examining the Feeld dating app, probing for weaknesses and vulnerabilities that could expose users’ data. Fortbridge’s extensive blog on the process revealed eight vulnerabilities with the potential for data theft.
It’s important to note that while Fortbridge found a series of issues, the vulnerabilities were discovered during an ethical hacking process. There is no indication that malicious hackers have taken advantage of the vulnerabilities.
In early 2024, Fortbridge began penetration testing the Feeld dating app. They quickly learned how easy it was to access information they should not have access to. On March 6th, Fortbridge presented its findings to Feeld. Before publishing a blog post expounding on the many vulnerabilities, Feeld asked Fortbridge to delay publication so they could address the software bugs. On August 16th, Feeld wrote to Fortbridge that the bugs had been addressed and that they may publish the blog post.
However, despite remedying the vulnerabilities, Feeld failed to mention anything regarding security updates in its version history notes in the App Store or Play Store.
What Information Could Hackers Gain if the Vulnerabilities Were Exploited?
Feeld’s bugs made it easy for hackers to access access information despite not having permission to do so. This vulnerability is called broken access control, and it’s one of the most common and devastating vulnerabilities found in applications.
By exploiting this vulnerability, a hacker could access sensitive user information, such as photos, videos, messages, age, sexual orientation, and location.
What’s most surprising is that Fortbridge used what most would consider basic security and networking software to access the data. To access the information, researchers at Fortbridge used network proxy tool Burp Suite to intercept data sent from Feeld servers. Once intercepted, the researchers found it incredibly simple to access a host of information that shouldn’t have been available, ranging from sensitive user data to private messages and pictures to using the intercepted data to push further into the account.
Along with accessing photos and videos (even if these sensitive photos were set to disappear after 5-15 seconds), researchers could also read messages between users and send messages on a user’s behalf, giving them full control of users’ profiles. Speaking to The Register, application security specialist Sean Wright gave a damning indictment of the Feeld app’s security:
A lot of information used within this app is going to be incredibly personal. These vulnerabilities could be leveraged by all types of nefarious actors, from a jealous ex, to a stalker, to organized criminals leveraging blackmailing-type scams.
The ability to read other people’s messages and attachments is especially concerning. These will be incredibly personal and private. To make matters worse, it doesn’t appear to be complicated to be able to exploit these vulnerabilities.
Have Feeld Fixed the Vulnerabilities?
While Feeld has told Fortbridge that the security weaknesses have been addressed, Feeld has shown no indication that it has done so via version history notes.
Furthermore, Fortbridge has yet to confirm whether the necessary steps were taken to remedy these security bugs and safeguard user information. Until then, we recommend using Feeld with caution.
If you’re worried about hackers gaining access to your information, we recommend deleting the application and using one of the many other dating apps on the market.
