Group Dating App 3fun Exposed Sensitive Data On 1.5 Million Users

Attackers could have used 3fun to create profiles of the users with both typical profile information and physical location data of its users who are billed as kinky, open-minded people. This can be sensitive information that used for harassment and persecution of LGBTQ+ individuals. Due to the multiple security vulnerabilities in the application, researchers were able to manipulate their session details to change data attributes and collect profile information of other registered users. This is where a layered security approach that establishes a trusted device profile is critical to providing a better consumer experience that validates the device and prevents attribute spoofing. The experience is frictionless to most consumers (as long as they don’t show signs of risk, there is no need for additional authentication) while it mitigates the risk organizations face such as spoofed or manipulated device intelligence data. It’s important to foster inclusion and diversity in all environments – acceptance matters.

Experts Comments

August 09, 2019
Justin Fox
Director of DevOps Engineering
NuData Security
Attackers could have used 3fun to create profiles of the users with both typical profile information and physical location data of its users who are billed as kinky, open-minded people. This can be sensitive information that used for harassment and persecution of LGBTQ+ individuals. Due to the multiple security vulnerabilities in the application, researchers were able to manipulate their session details to change data attributes and collect profile information of other registered users. This is .....Read More
Attackers could have used 3fun to create profiles of the users with both typical profile information and physical location data of its users who are billed as kinky, open-minded people. This can be sensitive information that used for harassment and persecution of LGBTQ+ individuals. Due to the multiple security vulnerabilities in the application, researchers were able to manipulate their session details to change data attributes and collect profile information of other registered users. This is where a layered security approach that establishes a trusted device profile is critical to providing a better consumer experience that validates the device and prevents attribute spoofing. The experience is frictionless to most consumers (as long as they don’t show signs of risk, there is no need for additional authentication) while it mitigates the risk organizations face such as spoofed or manipulated device intelligence data. It’s important to foster inclusion and diversity in all environments – acceptance matters.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.