3fun: Security glitch in threesome hook-up app reveals details of users in Downing Street and White House

‘Worst security of any dating app we’ve ever seen,’ say experts

Harry Cockburn
Saturday 10 August 2019 17:31 BST
Comments
Serious security flaw revealed information including users pictures, locations, sexual preferences and relationship status
Serious security flaw revealed information including users pictures, locations, sexual preferences and relationship status (Getty)

Support truly
independent journalism

Our mission is to deliver unbiased, fact-based reporting that holds power to account and exposes the truth.

Whether $5 or $50, every contribution counts.

Support us to deliver journalism without an agenda.

Louise Thomas

Louise Thomas

Editor

A dating app designed for arranging threesomes has been described as a “privacy train wreck” by security experts after the software was found to reveal real-time locations, birth dates, chat data and even photographs of its 1.5 million users.

The app, 3fun, revealed users with locations appearing to be in No 10 in London, and the White House and the US Supreme Court in Washington DC, according to a report on cyber security firm Pen Test Partners’ website.

Other dating apps, including Grindr, Romeo and Recon have recently also been found to have been revealing the exact location of users, but in those cases users’ precise locations were calculated by triangulating distances from three different places. On 3fun, the exact co-ordinates, accurate to within a building, were accessible through the app.

Furthermore, private photographs were accessible too.

Pen Test Partners said 3fun had “probably the worst security for any dating app we’ve ever seen”.

Users of the app could restrict the app from showing their locations, but according to Pen Test Partners, the data was only filtered on the mobile app itself, not on the servers containing the data, which their experts were able to query to reveal location information.

While the data the security company saw revealed users with locations in No 10, the White House, and the US Supreme Court, Pen Test Partners’ Alex Lomas said: “It’s technically possible to re-write one’s position, so it could be a tech savvy user having fun making their position appear as if they are in the seat of power.”

He added: “There are definitely some ‘special relationships’ going on in seats of power.”

Map indicating UK users of the 3fun app
Map indicating UK users of the 3fun app (Pen Test Partners)

In their analysis, Pen Test Partners also used the vulnerable data to calculate the number of users listing themselves as straight men, compared to the number of users whose profiles state they are straight women, and found a ratio of four straight men to every one straight woman.

Sexual preference and relationship status could also be queried.

Pen Test Partners contacted 3fun on 1 July pointing out the data had been compromised and advised them to fix the security flaws.

In a text message, 3fun reportedly replied: “Dear Alex, Thanks for your kindly reminding. We will fix the problems as soon as possible. Do you have any suggestion? Regards, The 3Fun Team”.

While Pen Test Partners said the text was “a little concerning”, they noted the company took action quickly and resolved the problem.

A spokesperson for 3Fun told tech news website The Verge the company had updated the app on 8 July and added: “We will focus on updating our product to make it safer.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in