Threesome dating app 3fun exposed users with ‘worst security’ ever seen

Researchers found that they could spoof their location on threesome dating app 3fun in order to reveal the location and data of other users.

3fun, a dating app geared towards swingers and people looking for threesomes, contains a vulnerability that exposed the personal data of its entire user base, which exceeds 1.5m people.

The app, which calls itself a “private space” where users can “discover [their] sexuality” and meet “local kinky, open-minded people”, was leaking the exact location, photos and other personal details of any nearby users. Researchers from Pen Test Partners told TechCrunch that the platform has “probably the worst security for any dating app we’ve ever seen”.

Furthermore, the research team found that they could spoof their location by plugging in any coordinates they wished, allowing them access to sensitive information on anyone within a particular location, including government buildings, military bases and intelligence agencies.

Spoofing location allowed Pen Test Partners to discover the location of users very accurately, down to which house or which building they were in.

The researchers contacted 3fun on 1 July to report the bugs, however, the app maker took weeks to address the issues, according to Pen Test Partners founder Ken Munro.

It is one of several dating apps to commit major privacy missteps recently. It emerged in June that Jewish dating app JCrush exposed the data and private messages of some 200,000 users following a security lapse. Last year, conservative dating app DonaldDaters, a platform geared towards US Trump supporters, was found to have leaked its entire database of users on the day of its launch, which was around 1,600 at the time.

Elsewhere, there have been many other significant data security issues. Late last month, security researchers at Eset stumbled upon a new family of Android ransomware that specifically targets Reddit users who search for porn.

One of the most major breaches in recent weeks affected US financial institution Capital One. The cyberattack targeted personal information of up to 100m US-based people and 6m people in Canada. The bank maintains that no credit card account numbers or login credentials were compromised.