Security flaws found in Feeld’s ‘open-minded‘ dating app
Users of Feeld, a dating app aimed at alternative relationships, could have had sensitive data including messages, private photos and details of their sexuality accessed or even edited, it has emerged, after cybersecurity experts exposed a string of security “vulnerabilities”.
Feeld, registered in the UK, reported soaring revenues and profits this month, after millions of downloads from “open-minded” queer, kinky and non-monogamous users.
But a British cybersecurity business said it uncovered serious failings in Feeld’s systems earlier this year.
Feeld said it had dealt with the concerns “as a matter of urgency”, resolved them within two months and that it had not seen any evidence that user data had been breached.
It did not know how long the vulnerabilities existed before it was told about them in March by the Londonbased cybersecurity firm Fortbridge.
Fortbridge found the issues after “pentesting”, a term for assessments of websites and apps to identify weaknesses attackers could exploit.
Its researchers found that it was possible to read other people’s messages exchanged in chats on Feeld and see attachments, which can include sexually explicit pictures and videos. This could be done as long as a potential hacker had the user’s “stream user ID”. Messages could be edited, deleted and recovered, the researchers found. Time-limited photos and videos, commonly used to share explicit images that self-delete after one viewing, could be retrieved and seen indefinitely, by accessing a link available to the sender.
Fortbridge said the failings could also allow a hacker to change someone else’s profile information, including their name, age and sexuality. It was also possible to view other people’s matches and to manually force a profile to “like” another.
The cybersecurity company said the failings could have been exploited with “basic technical knowledge”.
Adrian Tiron, a managing partner at Fortbridge, said: “Although these aren’t the most sophisticated bugs we’ve found or exploited, they are certainly some of the most impactful due to Feeld’s large user base.”
Feeld said it had not shared details about the security flaws publicly, including with users, as it did not want to “invite bad actors” to manipulate private information. Members would be told directly about how it had fixed the issues.
The company had investigated the problems brought to its attention by Fortbridge on 3 March and fixed them by 28 May. “Our members’ safety and security is our top priority,” it added.
The information commissioner’s office said it had not received reports of a data breach at Feeld.