Now, the Raw dating app, which launched in early 2023, brings that very idea to the world of dating. It pushes users to upload daily selfie games to promote real connections. Unfortunately, the platform has been in the news for a major security blunder that left sensitive user data, including location details, exposed. As reported by TechCrunch, this represents one of the largest breaches of its kind. Through this redux-style bug bounty, they discovered an Insecure Direct Object Reference (IDOR) vulnerability that provided unauthorized access to users’ private data.
Founded by Marina Anderson, Raw markets itself as an antidote to the pared-down aesthetics of millennial online dating, fostering genuine connections over curated presentations. The app’s innovative approach includes a hardware extension called the Raw Ring, an unreleased wearable device designed to track users’ partners’ heart rates and other sensor data. The Raw Ring features and promises AI-generated relationship insights that can allegedly help you detect future cheating.
The vulnerability came to light when TechCrunch was able to do a quick test of the app. With that, they found that the mobile application was pulling user profile data directly from Raw’s servers. Yet, it accomplished this feat without introducing any appropriate authentication at all. This omission opened the floodgates for any user to discover any user’s personal information, posing significant privacy risks.
Anderson was quick to tout, “We’ve spoiled every endpoint revealed in the past. We’ve built in further protections to ensure something like this doesn’t happen again.” She pointed out that the company encrypts data in transit and provides strict access controls across their infrastructure. Just as important, they are committed to continued scrutiny of where things stand today to chart a more defined path forward.
Unlike Signal, Raw is not end-to-end encrypted. This exclusion makes user interactions and data storage more vulnerable, cutting out a critical line of defense. Anderson confirmed that the company plans to “submit a detailed report to the relevant data protection authorities under applicable regulations,” reflecting their intention to comply with legal requirements and transparency standards.
After TechCrunch contacted Raw to inform them of the vulnerability, the company took immediate action Wednesday morning, locking down the exposed data endpoints. This incident highlights the importance of rigorous security measures in technology applications, particularly those handling personal and sensitive user information.
The Raw dating app’s unique process of having users take selfies each day aims to foster exciting and genuine interactions within the app. Even with this latest security breach, companies must walk a fine line between implementing innovative features and invading user privacy. As dating apps grow in choice and popularity, putting solid security practices in place will be imperative to keeping users safe and trusted.