Feelding Your Information
They just wanted to let your data be polyamorous.
Watch today's newsletter on YouTube!
Dating app "Feeld" is trying to do something different: offer people more options to dial in the specifics of what they're looking for. Unfortunately for the users of Feeld, this open-minded approach to the app design extended to their security design—which is to say: they believed your data should be able to see other people. Or, be seen by other people, at least.
Internet security firm Fortbridge recently published a deep dive blog post into their findings when testing the security of Feeld. Upon examining Feeld's systems, Fortbridge researchers were able to:
- View photos that were supposed to be blurred
- Read, edit, and delete other people's messages
- Send messages in other user chats
- Edit other people's profiles
- View other people's matches
...and so much more.
How did they do this? Did they hack into the mainframe? Did they use some kind of drone to scan the thumbprint of the CEO from afar to bypass biometric scans?
Nope, they just kinda looked at the data that the app was using. Quite literally, in some cases, the app would load information that was intended to be hidden from the user just so it could show the blurred out information. So your phone has the data on it, the app is just trying to pretend it doesn't have access.
Beyond that, they took a look at their network data while using the app so that they could get an understanding of how the app communicated with the servers. The system that an app uses to interface with a server is often called an "API," and Fortbridge was interested in just how secure Feeld's API was. Spoiler: it wasn't.
By simply looking at what the app was doing, they were able to replicate the API interactions, but change out what user they are, or what actions they're taking. A secure API is supposed to be able to be sure that data is only viewable by the proper, authenticated user. But in this case, they were able to use a plethora of server commands on behalf of other users without proper authentication.
It would be like going to a doctor's office, walking up to the front counter and saying, "Hello, I am Stan Franley, I would like a copy of my medical records," and the staff just hands you Stan Franley's medical records without confirming your identity. But then, without moving, you look them straight in the peepers and follow up with, "I am now Jan Cranley, I would like a copy of my medical records," and the staff hands you Jan's private information without question.
Fortbridge reached out to Feeld to inform them of the massive swath of vulnerabilities, and Feeld requested time to work on fixes before Fortbridge published their findings. For a sense of the timeline there, Feeld was alerted on March 8th of 2024, and claimed their fixes to be complete on August 16th, 2024.
Your data is at the mercy of so many companies, it's often easy to feel like it's a lost cause to consider privacy on the internet a thing. I'd recommend pushing back on those thoughts: it is exactly what massive internet corporations want you to give up on.
An excellent starting point would be to use a password manager such as Bitwarden (not sponsored), and consider using a premium email service such as Fastmail (also not sponsored) which can do things like generate one-off random email addresses for you. These wouldn't have helped in this case, unfortunately, but they still are a couple of relatively simple steps you can take to vastly improve your online security.
More Stuff
Boeing workers have gone on strike and may be striking for some time. They're pushing for a better contract after a previous proposed contract by Boeing offered insultingly low wage increases.
The new USPS delivery trucks are starting to roll out to their active fleet and they are actually adorable.
The NYPD cop who pushed back on their unspoken get-out-of-jail-free cards won a settlement of $175,000. The NYPD has no plans to stop using the cards. Mayor and former head cop Eric Adams declined to comment on the situation despite acknowledging the settlement.
The entirety of Annapurna Interactive's team has quit the company after executives of the entertainment publishing company's gaming branch attempted to negotiate spinning the entity off into its own company. Literally everyone (totaling 25 people) ended up quitting, leaving the publisher just kinda floating there. Annapurna Interactive published games such as Stray, Outer Wilds, and What Remains of Edith Finch.