A much-hyped dating site for Donald Trump supporters in the US is being blasted for shoddy security that may have exposed all of its users to eavesdropping and account theft.
Donald Daters pitches itself as "an American-based singles community connecting lovers, friends, and Trump supporters alike." The app, offered for both iOS and Android, was brought into the national spotlight on Monday when it was featured on Fox News.
Unfortunately, the media offensive appears to have come before the dating service was able to run a decent security assessment. So someone did that for them for free.
Shortly after the glowing profiles of the app went live, infosec researcher Baptiste Robert disclosed the application's makers had poorly secured an internet-facing cloud-hosted backend database containing information including all user names, private conversations via the app, and authentication tokens needed to log into their accounts.
Robert confirmed to El Reg that the data is stored on a backend database, and tweeted:
Hi @FoxNews and @realDonaldTrump supporters,— Elliot Alderson (@fs0c131y) October 15, 2018
You should not use this app. In 5 minutes, I managed to get:
- the list of all the people registered
- personal messages
- token to steal their session
Thread ⬇️ https://t.co/72KdNJTrmk
So, basically, everything short of credit card details is available from the mobile app's backend, if you know where and how to look. We'll give you a clue: the app includes the cryptographic keys needed to access the developers' cloud-hosted storage and accounts. These keys can be used to access the databases holding people's profiles. It seems someone bigly ignored some basic security measures.
According to the researcher, the dating app has about 1,607 users who have engaged in a total of 128 conversations, the longest being a discussion between two of the app's developers.
Robert was also able to extract information from the Android client:
It's probably not a good idea to expose all your ids and keys... In the app you can find:— Elliot Alderson (@fs0c131y) October 15, 2018
- RNB_GOOGLE_PLAY_LICENSE_KEY pic.twitter.com/5CUxlqggFs
The makers of Donald Daters did not return a request from El Reg for comment on the matter. SAD. And if you're using this app: don't. ®