A security flaw in the dating app Raw exposed users' real-time locations and intimate data, raising alarm over privacy risks in location-based apps.
What happened
Dating app Raw, known for promoting ‘authentic’ connections, has been found exposing highly sensitive user data, including real-time location information and sexual preferences. The discovery was made by TechCrunch, which found that anyone with a browser could access detailed profiles of Raw users, including exact coordinates that could pinpoint individuals to street-level accuracy.
The app, launched in 2023 and downloaded over 500,000 times on Android, also collects daily selfies and dating preferences as part of its engagement model. The exposure was quietly patched after TechCrunch alerted the company, but questions remain about how long the flaw went unnoticed and whether users will ever be informed.
Going deeper
The vulnerability allowed access to full user profiles via direct URLs, so no password or authentication was needed. Classified as an IDOR (Insecure Direct Object Reference), the flaw meant that simply changing the last 11 digits of a user profile URL would reveal private information from other users. Exposed data included names, birthdays, sexual preferences, and location details accurate to just a few meters.
TechCrunch tested the app using dummy data and a virtual Android device, discovering the bug in minutes. Raw’s servers returned full user profiles without checking who was requesting the data. The issue is especially concerning given Raw’s recent announcement of a wearable device, the Raw Ring, which would collect biometric data like heart rate for relationship insights.
Despite its privacy claims, including end-to-end encryption, Raw’s app showed no signs of using such protections in practice. After being contacted, the company secured the exposed endpoints but admitted it had not conducted a third-party security audit.
What was said
“We’ve implemented additional safeguards to prevent similar issues in the future,” Raw co-founder Marina Anderson told TechCrunch via email. However, she declined to confirm whether affected users would be notified or when the app’s privacy policy would be updated.
Anderson also clarified earlier claims about security, noting that while the app uses “encryption in transit” and “access controls,” it does not support end-to-end encryption. When asked about accountability and transparency, the company pointed to ongoing investigations and its regulatory reporting obligations.
The big picture
In a market flooded with apps collecting sensitive behavioral and biometric data, a lapse like Raw’s is made worse by unverified privacy claims and a lack of audits, putting users at risk.
As US cybersecurity officials have repeatedly warned, IDOR vulnerabilities allow malicious actors to exploit apps at scale. Without proper security frameworks, even well-intentioned platforms can become threats to user privacy. For startups like Raw, trust is easy to lose and much harder to earn back, especially when the exposure could have endangered users in real-world scenarios.
FAQs
What is an IDOR vulnerability?
An IDOR (Insecure Direct Object Reference) lets attackers access unauthorized data by modifying a URL or parameter, without needing a password or login.
Could someone have tracked users in real time using this flaw?
Yes. The exposed data included precise GPS coordinates, potentially allowing real-time tracking down to street level.
Was biometric data from the Raw Ring compromised?
No biometric data from the Raw Ring was confirmed to be exposed, but concerns remain due to the app’s poor security practices.
Did Raw notify users about the exposure?
As of now, Raw has not confirmed whether it plans to notify affected users or update its privacy policy.
How can users protect themselves on dating apps?
Stick to apps with verified security audits, avoid sharing real-time location data, and regularly review app permissions and privacy settings.
Farah Amod
