On May 25th I discovered a non password protected Elastic database that was clearly associated with dating apps based on the names of the folders. The IP address is located on a US server and a majority of the users appear to be Americans based on their user IP and geolocations. I also noticed Chinese text inside the database with commands such as:
- according to Google Translate: The model update completion event has been triggered, syncing to the user.
The strange thing about this discovery was that there were multiple dating applications all storing data inside this database. Upon further investigation I was able to identify dating apps available online with the same names as those in the database. What really struck me as odd was that despite all of them using the same database, they claim to be developed by separate companies or individuals that do not seem to match up with each other. The Whois registration for one of the sites uses what appears to be a fake address and phone number. Several of the other sites are registered private and the only way to contact them is through the app (once it is installed on your device).
Finding several of the users’ real identity was easy and only took a few seconds to validate them. The dating applications logged and stored the user’s IP address, age, location, and user names. Like most people your online persona or user name is usually well crafted over time and serves as a unique cyber fingerprint. Just like a good password many people use it again and again across multiple platforms and services. This makes it extremely easy for someone to find and identify you with very little information. Nearly each unique username I checked appeared on multiple dating sites, forums, and other public places. The IP and geolocation stored in the database confirmed the location the user put in their other profiles using the same username or login ID.
Usernames are Fingerprints:
We at Security Discovery always follow a responsible disclosure process when it comes to the data we discover and usually make sure that companies or organizations close access before we publish any story. However, in this case the only contact information we can find appears to be fake and the only other way to contact the developer is to install the application. As someone who is very security conscious I understand that installing unknown apps could pose a potentially serious security risk.
I did send 2 notifications to email accounts that were connected to the domain registration and one of the websites. In my search for contact details or more information about the ownership of this database, the only real lead I found was the Whois domain registration. The address that was listed there was Line 1, Lanzhou and when trying to validate the address I discovered that Line 1 is a Metro station and is a subway line in Lanzhou. The phone number is basically all 9’s and when I called there was a message that the phone was powered off.
I am not saying or implying that these applications or the developers behind them have any nefarious intent or functions, but any developer that goes to such lengths to hide their identity or contact details raises my suspicions. Call me old fashioned, but I remain skeptical of apps that are registered from a metro station in China or anywhere else.
The apps mentioned inside the database include diverse range to appeal to as many people as possible:
- Cougardating (Dating app for meeting cougars and spirited young men :according to the site)
- Christiansfinder (an app for christian singles to find ideal match online)
- Mingler (interracial dating app)
- Fwbs (Friends with benefits)
- “TS” I can only speculate the it is an app called “TS” that is a Transsexual Dating App
Some of the apps are free and offer paid versions, but the down side is there could be more information being collected than users know about. Although the database did not contain any billing information or easily identifiable data it still exposed users to a potentially troubling situation where information about their sexual preferences, lifestyle choices, or infidelity could be publicly available. As I mentioned before, it is easy for anyone to identify a large number of users with relative accuracy based on their “User ID”.
What concerns me most is that the virtually anonymous app developers could have full access to user’s phones, data, and other potentially sensitive information. It is up to users to educate themselves about sharing their data and understand who they are giving that data to. This is another wake up call for anyone who shares their private information in exchange for some kind of service.
***NOTICE*** At the time of publication the database was still publicly accessible. Despite the large number of users, there was no PII. No one has replied to the notifications and we have published this article to raise awareness to the users of these apps who may be affected and hope to make the developers aware of the data exposure.