The dating app that recently unveiled a concerning new wearable device has come under fire for inadvertently exposing users’ personal data. This breach included highly sensitive information such as users’ approximate locations, putting their privacy at serious risk.

The app, named Raw, claims to foster genuine and raw connections by offering a distinctive user experience reminiscent of BeReal, utilizing both the front and back cameras of users’ smartphones for authentic dating interactions. However, alongside this, Raw has introduced a controversial hardware product known as the Raw ring. This device allegedly enables users to monitor their partners’ locations to prevent infidelity, raising ethical concerns about privacy and trust. Regrettably, Raw has also revealed another aspect of its operations in a rather “unfiltered” manner: the careless handling of users’ private data.

According to a report from TechCrunch, the absence of basic digital security measures led to the accidental exposure of users’ sensitive information. Prior to this week, anyone equipped with a web browser could easily access detailed profiles of app users, revealing their date of birth, display names, sexual orientations, and even specific “street-level” location information.

TechCrunch uncovered these serious security flaws during a routine evaluation of the app. The team downloaded Raw onto a virtualized Android device and employed a network monitoring tool to track the data transmitted between the app and its servers. Their analysis indicated that the personal information was devoid of any protective authentication barriers. Within mere minutes of using the application, they identified this alarming issue. Additionally, while Raw asserted that it safeguards user information through end-to-end encryption (E2EE), TechCrunch found no substantiating evidence that such encryption was implemented. They elaborated on the security vulnerability as follows:

Upon initial loading of the app, we observed that it was retrieving user profile information directly from the company’s servers. Alarmingly, the server was not employing any authentication measures to guard the returned data. This oversight meant that anyone could access another user’s private information simply by entering the exposed server address — api.raw.app/users/ followed by a unique 11-digit identifier for a specific user. By altering the digits to match another user’s identifier, private profile information, including their location details, could be retrieved. This security flaw, recognized as an insecure direct object reference (IDOR), allows unauthorized access to or manipulation of data on another user’s server due to insufficient security protocols.

In response to these findings, Gizmodo contacted Raw for clarification. As reported to TechCrunch, the company has since rectified the security vulnerabilities as of Wednesday. “All previously exposed endpoints have been secured, and we’ve implemented additional safeguards to prevent similar issues in the future,” stated Marina Anderson, co-founder of the Raw dating app, during her communication with the outlet.

It is not unusual for tech companies to inadequately safeguard user information. Surprisingly, prioritizing security is often not a significant focus within the software industry. This can be attributed to the time and financial resources required to enhance security measures, which may hinder other production areas. Consequently, many companies neglect proper security protocols. However, given that a dating app is tasked with managing users’ most intimate and sensitive information, it is crucial for such platforms to invest extra effort in securing their data. As the saying goes: “wrap it before you tap it.”