Authorization

Jewish dating app JCrush exposed user data and private messages

A security lapse at JCrush, a dating app designed for the Jewish community, left a databases open without a password, exposing sensitive user records and private messages to anyone who knew where to look.
The sites backend database had around around 200,000 user records, according to security researchers Noam Rotem and Ran Locar, who shared their findings exclusively with TechCrunch and wrote up their findings at vpnMentor.
None of the data was encrypted, the researchers told TechCrunch.
We obtained a sample of the records to verify. From what we saw, the records contained the users name, gender, email address, IP address, geolocation as well as their city, state and country, date of birth, their sexual preferences, their religious denomination, and the photos they use on JCrush.
Depending on how the user signed up, the records also show the users Facebook ID, which points directly to their Facebook profile. It also includes the access token, which can be used to take over a JCrush users account without needing their password.
In some cases, the geolocation data was so accurate it was easy to identify exactly where some users lived especially in residential neighborhoods.
The database also contained private messages many were explicit and graphic.
Although the researchers didnt dig into the data mindful of the privacy implications they found records relating to incognito accounts, which allow users to pay to browse the site anonymously.
The apps founder Natasha Nova did not respond to a request for comment. An unnamed spokesperson for JCrushs parent company Northsight Capital said it was aware of the situation and secured the database immediately when the problem occurred.
There have been not been any indications that the data had been accessed by malicious parties or misused in anyway, said the company. When asked, the company did not say what evidence it had for its claim, but noted that the company plans to notify its users and authorities of the incident.
Its the latest in a series of data exposure at dating apps, or companies that tout anonymity and privacy.
Last year, a dating app for conservative supporters Donald Daters admitted a database leak on its first day of operations. Only about 1,600 users had their information exposed. In May, a popular Chinese dating app for gay and queer women, Rena, which had more than five million users, left its database open and exposed.
Read more:



Rela, a Chinese lesbian dating app, exposed 5 million user profiles




At Blind, a security lapse revealed private complaints from Silicon Valley employees




Donald Daters, a dating app for Trump supporters, leaked its users data




Security lapse exposed private Theta photos




After breach, Stack Overflow says some user data exposed




An unsecured SMS spam operation doxxed its owners
See also:
Leave a comment
News
  • Latest
  • Read
  • Commented
Calendar Content
«     2020    »
 12345
6789101112
13141516171819
20212223242526
2728293031