3Fun, a dating app for arranging threesomes with more than 1.5 million users, exposed sensitive information, including real-time locations and private pictures.
The app’s lack of security was discovered by Pen Test Partners, which claimed that 3Fun featured what was “probably the worst security for any dating app we’ve ever seen” with none of the user data protected by encryption.
According to Pen Test Partners, other dating apps such as Grindr were criticized for user location disclosures in the past through trilateration, which grabbed a person’s exact location through the exploitation of the “distance from me” feature in apps by spoofing GPS positions.
3Fun, however, extracted the latitude and longitude coordinates of users, and even if they restricted sending that information, the data was still on the server.
Through it, Pen Test Partners was able to pinpoint the locations of the group dating app’s users across several major cities.
Some were even found in the White House, the U.S. Supreme Court, and in Number 10 Downing Street in London, though they were likely spoofing their locations.
