MILLIONS OF RECORDS from a variety of Chinese dating apps have been found sitting on an unsecured database for reasons currently unknown.
Security researcher Jeremiah Fowler discovered the database which effectively exposed the 42.5 million records belonging to dating app users mostly from the US.
The IP address, according to Fowler's research, has the database located on a US server and full of American users, going by their IP addresses and geolocation.
Fowler spotted some Chinese text in the database with commands that when translated note: "The model update completion event has been triggered, syncing to the user."
What that means is still unclear, though it could simply be referring to commands for apps to build up user profiles or perhaps its building a model of US dating app users through mixing all the data from the different apps. We don't really know at the time of writing.
There are other oddities, such as multiple apps storing data on the same database despite seemingly not being linked.
"What really struck me as odd was that despite all of them using the same database, they claim to be developed by separate companies or individuals that do not seem to match up with each other," said Fowler. "The Whois registration for one of the sites uses what appears to be a fake address and phone number."
Fowler went on to note that is was difficult to contact the app providers, with some only providing a means to contact them once an app was downloaded on to a device.
"I am not saying or implying that these applications or the developers behind them have any nefarious intent or functions, but any developer that goes to such lengths to hide their identity or contact details raises my suspicions," said Fowler. "Call me old fashioned, but I remain sceptical of apps that are registered from a metro station in China or anywhere else."
Such scepticism is well placed as Fowler's research found that it was pretty straightforward to confirm a persons identity through the exposed data, as the online persona could be extracted from the IP address,age, location and user name.
"Like most people your online persona or user name is usually well crafted over time and serves as a unique cyber fingerprint. Just like a good password many people use it again and again across multiple platforms and services," Fowler explained. "This makes it extremely easy for someone to find and identify you with very little information. Nearly each unique username I checked appeared on multiple dating sites, forums, and other public places."
Fowler said the affected apps were Cougardating, an app deigned for couples to meet or for liaisons with young men; Christiansfinder, of which the name is self-explanatory; Mingler, an interracial dating app; Fwbs, an app for friends with benefits; and "TS", an app that could be a transgender/transexual dating app.
While Fowler attempted to contact the app developers, the researcher then decided it was time to alert the world, as the data being leaked is a pretty significant infringement of privacy.
"What concerns me most is that the virtually anonymous app developers could have full access to user's phones, data, and other potentially sensitive information. It is up to users to educate themselves about sharing their data and understand who they are giving that data to," said Fowler.
"This is another wake up call for anyone who shares their private information in exchange for some kind of service."
Given how many large exposures of personal data have happened recently, we can't argue with Fowler's missive. µ
Overclocking tool will squeeze more power out of Intel CPUs
Better yet, LG actually had permission to use it
It'll the help French sniff out more gas and oil
'Painful' move spurred by intensifying China-US trade war