Gay Daddy leaked all user data, including private messages, photos, locations, and profiles.
More than 50,000 user profiles and 124,000 private messages from a gay networking site were available to view.
According to research from Cybernews, after discovering a major security oversight on the “Gay Daddy: 40+ Date & Chat” app on the Apple’s App Store, it was determined that this was due to the app’s Firebase.
This led the database to be accessible to anyone with sufficient technical knowledge, and researchers were able to reverse engineer the publicly available app package, which unveiled the stored secrets in plain text.
“Users expect the app to be discreet, but it is completely the opposite,” Aras Nazarovas, a security researcher at Cybernews said. “Due to a security misconfiguration, Gay Daddy leaked all of its user's data, including private messages, photos, locations, and profiles, including names, age, relationship status, and even HIV status.”
Firebase is a Google tool for developers to streamline app development, including data storage, user authentication (like logins), or real-time features such as chat updates.
The breach was disclosed to the app developer, and the leaking instance was closed.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
