Feeld bugs allow message tampering image and video theft The Register

pSecurity researchers have revealed a litany of failures in the Feeld dating app that could be abused to access all manner of private user data including the most sensitive images not intended to be kept or sharedppFeeld caters to openminded individuals those specifically interested in exploring alternative relationship models such as ethical nonmonogamy polyamory swinging kinks and othersppWith that in mind users would quite understandably expect the makers of the app which was launched just over ten years ago to have shored up their security by nowppAlas judging by the work carried out at UKbased pentesting specialists Fortbridge all of the data required to save peoples private messages including photos and videos sent in chatrooms and to view other peoples matches and more could be easily intercepted and inspected using a network proxy toolppBy that we mean Its possible to use a network proxy to take a look at the data being exchanged between the Feeld servers and its app on your device as you use the software and in that data there is a lot of info that really shouldnt be in there That information is either directly about another user that shouldnt have been sent at all or data that can be used in subsequent requests to Feelds servers to lookup more stuff that again shouldnt be made availableppFor example intercepting a request to view a profiles likes a list of people who liked the users profile led to the researchers essentially giving themselves premiummember benefits such as being able to view the full profile information of those who liked them This is usually restricted for free users who can see a name only with other details blurredppThis particular bug was arguably the least harmful of the eight security weaknesses Fortbridge highlighted but the method of exploiting it laid the groundwork for discovering more serious issuesppIndeed intercepting various app requests could be used to gather data such as any individuals user ID age distance and profile photos at least some of which could then be used to gain access to more infoppFortbridges Bogdan Tiron a cloud application security consultant and pentester was able to extract a user ID from one request and then read that users private messages by reusing the ID in another request for example More specifically one part of the Feeld API will give you another users streamUserId and then putting that value into another API call for reading messages will return that persons private chat conversations None of this is supposed to happenppTiron also demonstrated in his research that an unauthenticated user could access the images and videos of other users sent through the private inapp chatrooms This included media that users specifically configured to disappear after a set length of time usually 515 secondsppIt doesnt appear to be complicated to be able to exploit these vulnerabilitiesppAgain using a tool such as Burp Proxy and the data gathered from previous requests Tiron was able to delete messages sent by users recover them and edit other users messages seemingly by someone not in the chatroom He was also able to send messages to other users in existing chats in which he wasnt a participant No endtoend encryption hereppOther possibilities included viewing other users matches forcing another user to like ones own profile and editing the profile information of others including name sexuality age and moreppCommenting on the findings application security specialist Sean Wright told The Register Other than the one vulnerability to bypass subscription level limitations the rest are pretty damning and not to mention concerningppA lot of information used within this app is going to be incredibly personal These vulnerabilities could be leveraged by all types of nefarious actors from a jealous ex to a stalker to organized criminals leveraging blackmailingtype scamsppThe ability to read other peoples messages and attachments is especially concerning These will be incredibly personal and private To make matters worse it doesnt appear to be complicated to be able to exploit these vulnerabilitiesppTiron presented his findings to Feeld on March 8 According to the disclosure timeline he supplied Fortbridge agreed on multiple occasions to delay the publication of Tirons findings to allow Feeld to implement the required fixesppGenerally speaking a 90day window is seen in the security industry as the right balance between giving developers enough time to implement a fix and publishing the findings to alert the public without undue delayppHowever six months have now passed since Tirons initial report to Feeld The companys last response was on August 16 telling him We have implemented the required changes to mitigate the remaining findingsppThis sounds as though the necessary fixes were applied but according to the version history notes left on Feelds App Store page there has been no mention of security or anything resembling a performance improvement since May All updates since have focused on releasing new featuresppThe Register asked Feeld to comment and it didnt immediately respondppOver on the Feeld subreddit users dont appear pleased about the time taken to address the various issuesppOne said The Feeld disclosure timeline at the bottom of the post is pretty infuriating It took Feeld five months to fix these massive security holes If they took this seriously they should have immediately alerted users that literally everything they posted was compromised and paused signups until everything was fixedppOthers however were less bothered about the newsppJokes on them Im an exhibitionist one wrote ppSend us newsppThe Register Biting the hand that feeds ITpp
Copyright All rights reserved 19982024

p