A significant security flaw in the dating application Raw exposed sensitive personal information, including detailed location data of its users, according to a recent discovery. Raw, launched in 2023 and designed to foster authentic romantic connections by requiring users to upload daily selfie photographs, inadvertently left exposed user profiles, complete with names, birth dates, detailed dating and sexual preferences, and precise geographic coordinates accurate enough to pinpoint a user’s street-level position.
The exposure contradicts Raw’s marketing claims of employing rigorous end-to-end encryption to protect its users’ private data. Although the company promotes itself as a secure platform, an inspection carried out this week revealed no evidence that the app utilized end-to-end encryption. Instead, researchers found the application openly broadcasting user data online without authentication protocols, allowing anyone with a web browser to access user profiles by entering a specific URL linked to an easily guessable numerical identifier assigned to each user.
This security lapse emerges at an especially sensitive time for Raw, as the startup recently announced plans to expand its service offering through its yet-to-be-released “Raw Ring,” a wearable device designed to track physiological indicators—such as heart rates and emotions—of a user’s romantic partner, ostensibly using artificial intelligence to detect signs of infidelity.
Marina Anderson, co-founder of Raw, confirmed that the exposed vulnerabilities had since been resolved after being notified of the data exposure, stating that additional security measures have now been implemented to prevent similar occurrences in the future. Responding via email, Anderson also acknowledged that the company had not yet completed a third-party security audit of its app, adding that the team’s current focus remains on product quality and user engagement.
Though Anderson committed to informing regulatory authorities, she declined to expressly promise direct notification to affected users about the breach. She further explained that the company’s claims regarding encryption currently reference data encrypted in transit and access controls within the company’s infrastructure, but conceded that further evaluations would be necessary to determine next steps. Anderson declined to indicate whether Raw would revise its privacy policy in response to the breach.
The specific vulnerability, classified as an insecure direct object reference (IDOR), is a common but critical security flaw identified by cybersecurity experts as highly exploitable due to the lack of proper authentication controls surrounding sensitive data accesses. Authorities, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA), have repeatedly highlighted the significant threats posed by IDOR-related errors due to their simplicity and the widespread exposure they can cause.
The timeline and full implications of Raw’s exposure remain under investigation by the company. The precise duration during which the users’ data was vulnerable and the potential scale of the exposure have not yet been clearly established.
