[BreachExchange] Jewish dating app JCrush exposed user data and private messages

Wed Jun 5 08:42:55 EDT 2019

https://techcrunch.com/2019/06/04/jcrush-exposed-data-messages/

A security lapse at JCrush, a dating app designed for the Jewish
community, left a database open without a password, exposing sensitive
user records and private messages to anyone who knew where to look.

The site’s backend database had around 200,000 user records, according
to security researchers Noam Rotem and Ran Locar, who shared their
findings exclusively with TechCrunch and wrote up their findings at
vpnMentor.

None of the data was encrypted, the researchers told TechCrunch.

We obtained a sample of the records to verify. From what we saw, the
records contained the user’s name, gender, email address, IP address
and geolocation, as well as their city, state and country, date of
birth, sexual preferences, religious denomination and photos they use
on JCrush.

Depending on how the user signed up, the records also show the user’s
Facebook ID, which points directly to their Facebook profile. It also
includes the access token, which can be used to take over a JCrush
user’s account without needing their password.

In some cases, the geolocation data was so accurate it was easy to
identify exactly where some users lived — especially in residential
neighborhoods.

The database also contained private messages — many were explicit and graphic.

Although the researchers didn’t dig into the data — mindful of the
privacy implications — they found records relating to “incognito”
accounts, which allow users to pay to browse the site anonymously.

The app’s founder Natasha Nova did not respond to a request for
comment. An unnamed spokesperson for JCrush’s parent company,
Northsight Capital, said it was “aware” of the situation and “secured
the database immediately when the problem occurred.”

“There have not been any indications that the data had been accessed
by malicious parties or misused in anyway,” said the company. When
asked, the company did not say what evidence it had for its claim, but
noted that the company plans to notify its users and authorities of
the incident.

It’s the latest in a series of data exposures at dating apps, or
companies that tout anonymity and privacy.

Last year, a dating app for conservative supporters — Donald Daters —
admitted a database leak on its first day of operations. Only about
1,600 users had their information exposed. In May, a popular Chinese
dating app for gay and queer women, Rela, which had more than five
million users, left its database open and exposed.