Feeld Dating App Breach Left Your Nudes Open to Hackers

Feeling exposed? Feeld fixed it, but your data was wide open for almost half a year.

By Marco Rizal - Editor, Journalist 5 Min Read
Share this post?
Share this post?

Feeling exposed? Feeld fixed it, but your data was wide open for almost half a year.

Fortbridge security experts revealed many critical vulnerabilities in the Feeld dating app, exposing users' private information such as personal data, chats, and even intimate images and videos.

These problems primarily relate to “broken access control,” one of the top security threats highlighted by the Open Web Application Security Project (OWASP).

The found vulnerabilities enable attackers to see and change data without adequate authentication, posing a serious privacy risk to users.

One of the most alarming vulnerabilities is that attackers can view private user photos, videos, and chats without logging into the app or having the proper permissions.

image 51
Reading other people's messages via streamUserID value. (Credit: Fortbridge)

Feeld's premium features, designed to protect sensitive user information, are simply circumvented with simple hacking tools.

This means that basic users, who generally see just limited profile information, can use these issues to view other users' whole profiles, images, and communications.

Fortbridge’s research found that attackers could perform several alarming actions, including:

  • Attackers can read private messages between users and gain access to full profiles without permission.
  • Photos and videos exchanged in private chats, including time-limited content, can be viewed without authentication. Even if a photo or video is listed as expired, attackers can still access it using certain URLs.
  • Attackers have the ability to modify or delete other people's messages, which opens up the possibility of discussion manipulation and misinformation.
  • In some situations, attackers can change someone else's profile information, such as age, gender, and interests.

These flaws pose major dangers to user privacy, particularly given the sensitive nature of the information transmitted on dating sites such as Feeld.

Personal information like as photographs, sexual preferences, and messages may be disclosed to unauthorized third parties, putting users at risk of privacy infringement.

How Attackers Exploit the System

Fortbridge disclosed vulnerabilities that allow attackers to intercept and extract sensitive data from Feeld's API (application programming interface) using tools such as Burp Suite.

Hackers can bypass security safeguards designed to secure user information by changing specific parameters in Feeld's API, allowing anyone to gain unauthorized access to private conversations, photographs, or videos.

One of the flaws, for example, enables attackers to retrieve the URLs of shared multimedia assets.

image 50
Video being shown unauthenticated and is replay-able. (Credit: Fortbridge)

These cloud-stored files can be read and downloaded without requiring any login. Even after a photo or video is meant to have expired, it can still be accessed using these URLs.

Fortbridge reported these concerns to Feeld, although it is unclear whether all vulnerabilities have been addressed.

The business has recommended users to exercise caution while sharing sensitive media and personal information on the site until these vulnerabilities have been fully resolved.

Delayed Disclosure

The disclosure of these vulnerabilities sparked concerns among users, particularly concerning how long these problems went unpatched.

Many are wondering if Feeld's answer was timely enough. Some users were frustrated, questioning why Fortbridge did not quickly report the original vulnerability upon detection, rather than waiting to investigate the entire scope of the security vulnerabilities.

As one user asked, “At what point is it irresponsible not to disclose an initial vulnerability?”

image 52
Feeld vulnerability disclosure timeline via Fortbridge

Given that Feeld has been around for a decade, the timeline of the investigation is causing concern, as the vulnerabilities could have been open for years, leaving user data exposed.

While Feeld eventually resolved the issues, many users were dissatisfied with the delayed process.

Some claim that Feeld should have prioritized correcting these major vulnerabilities before feature updates or other bug fixes, considering the risk to user privacy.

Leave a comment