Security researchers have revealed a litany of failures in the Feeld dating app that could be abused to access all manner of private user data, including the most sensitive images not intended to be kept or shared.

Feeld caters to "open-minded individuals" - those specifically interested in exploring alternative relationship models such as ethical non-monogamy, polyamory, swinging, kinks, and others.

With that in mind, users would quite understandably expect the makers of the app, which was launched just over ten years ago, to have shored up their security by now.

Alas, judging by the work carried out at UK-based pentesting specialists Fortbridge, all of the data required to save people's private messages - including photos and videos sent in chatrooms - and to view other people's matches and more could be easily intercepted and inspected using a network proxy tool.

By that we mean: It's possible to use a network proxy to take a look at the data being exchanged between the Feeld servers and its app on your device as you use the software, and in that data, there is a lot of info that really shouldn't be in there. That information is either directly about another user that shouldn't have been sent at all, or data that can be used in subsequent requests to Feeld's servers to lookup more stuff that again shouldn't be made available.

For example, intercepting a request to view a profile's "likes" - a list of people who liked the user's profile - led to the researchers essentially giving themselves premium-member benefits such as being able to view the full profile information of those who "liked" them. This is usually restricted for free users who can see a name only, with other details blurred.

This particular bug was arguably the least harmful of the eight security weaknesses Fortbridge highlighted, but the method of exploiting it laid the groundwork for discovering more serious issues.

Indeed, intercepting various app requests could be used to gather data such as any individual's user ID, age, distance, and profile photos - at least some of which could then be used to gain access to more info.

Fortbridge's Bogdan Tiron, a cloud application security consultant and pentester, was able to extract a user ID from one request, and then read that user's private messages by reusing the ID in another request, for example. More specifically, one part of the Feeld API will give you another user's streamUserId, and then putting that value into another API call for reading messages will return that person's private chat conversations. None of this is supposed to happen.

Tiron also demonstrated in his research that an unauthenticated user could access the images and videos of other users sent through the private in-app chatrooms. This included media that users specifically configured to disappear after a set length of time, usually 5-15 seconds.

It doesn't appear to be complicated to be able to exploit these vulnerabilities

Again, using a tool such as Burp Proxy and the data gathered from previous requests, Tiron was able to delete messages sent by users, recover them, and edit other users' messages seemingly by someone not in the chatroom. He was also able to send messages to other users in existing chats in which he wasn't a participant. No end-to-end encryption here.

Other possibilities included viewing other users' matches, forcing another user to "like" one's own profile, and editing the profile information of others including name, sexuality, age, and more.

Commenting on the findings, application security specialist Sean Wright told The Register: "Other than the one vulnerability to bypass subscription level limitations, the rest are pretty damning and not to mention concerning.

"A lot of information used within this app is going to be incredibly personal. These vulnerabilities could be leveraged by all types of nefarious actors, from a jealous ex, to a stalker, to organized criminals leveraging blackmailing-type scams.

"The ability to read other people's messages and attachments is especially concerning. These will be incredibly personal and private. To make matters worse, it doesn't appear to be complicated to be able to exploit these vulnerabilities."

Tiron presented his findings to Feeld on March 8. According to the disclosure timeline he supplied, Fortbridge agreed on multiple occasions to delay the publication of Tiron's findings to allow Feeld to implement the required fixes.

Generally speaking, a 90-day window is seen in the security industry as the right balance between giving developers enough time to implement a fix and publishing the findings to alert the public without undue delay.

However, six months have now passed since Tiron's initial report to Feeld. The company's last response was on August 16, telling him: "We have implemented the required changes to mitigate the remaining findings."

This sounds as though the necessary fixes were applied, but according to the version history notes left on Feeld's App Store page, there has been no mention of security or anything resembling a performance improvement since May. All updates since have focused on releasing new features.

The Register asked Feeld to comment and it didn't immediately respond.

Over on the Feeld subreddit, users don't appear pleased about the time taken to address the various issues.

One said: "The Feeld disclosure timeline at the bottom of the post is pretty infuriating. It took Feeld five months to fix these massive security holes. If they took this seriously they should have immediately alerted users that literally everything they posted was compromised and paused signups until everything was fixed."

Others, however, were less bothered about the news.

"Jokes on them, I'm an exhibitionist," one wrote. ®

https://www.theregister.com//2024/09/13/feeld_dating_app_failures/