Dating app 3Fun, which describes itself as an app designed “for meeting local kinky, open-minded people for 3some & swinger lifestyle” and claims over 1.5 million users, appears to have been open to more than just relationships. In a new post from security firm Pen Test Partners this week, it also apparently exposed sensitive user data including the “near real time location” of its members, their photos and information including birthdates, sexual preferences and chats.
In short, the firm called the app a “privacy train wreck,” adding “how many relationships or careers could be ended through this data being exposed?”
Available on iOS and Android, the app’s Google Play page lists it as having over 100,000 installs.
According to Pen Test’s findings, which were shared and verified by TechCrunch, getting some of the data was as simple as spoofing a GPS location in the app, which then pulled up information of users nearby. The results included finding members located in the Supreme Court and the White House, though the exact information on those users wasn’t revealed, and the report notes it’s possible somebody was spoofing their own location to appear as if they were in those government buildings.
Pen Test says it reached out to 3Fun on July 1 to let them know about the holes, writing that the company responded “Thanks for your kindly reminding. We will fix the problems as soon as possible. Do you have any suggestion? Regards, The 3Fun Team.”
The research firm says they did make some suggestions and that 3Fun “took action fairly quickly and resolved the problem.”
In a statement, the company acknowledged the issues and says it will work to make its app safer going forward.
“We sincerely apologize about the vulnerability. We took the action immediately,” the company told CNET. “Security updates to 3Fun’s API, servers and mobile application were made on July 2nd and a new, more secure version of the app was released on July 8th. We will focus on updating our product to make it safer.”
Originally published August 9 at 10:08 a.m. PT.
Updated August 12 at 8:00 a.m. PT: Added 3Fun comment.