THERE ARE PLENTY of fun things that three people can do together. Ludo, Snakes and Ladders - maybe even some Lawn Darts. Of course, some people prefer to bump uglies instead, and for that, there's a number of apps for folks to get their ends away with like-minded sex fiends.
What you really want from this kind of app is anonymity. For all our openness, we're still pretty damned prudish, and your employer doesn't need to know you go by the moniker of "SlaveGimp69," otherwise it would have been on your CV.
Threesome hookup app 3Fun was, apparently, not effectively plugging its backdoors, some intense penetration testing has revealed.
Stop giggling at the back, this is serious business.
Pen Test Partners has published some research describing 3Fun as "a privacy train wreck" with "probably the worst security for any dating app we've ever seen."
How so? Well, while other dating apps have let users abuse the ‘distance from' feature by spoofing GPS coordinates to get an accurate lock on, 3Fun cut out the middle man and just gave the location to the mobile app with a GET request, down to the latitude and longitude.
While users could prevent the app sharing this data, that only stopped it from appearing in the app - it was still sent to the server, meaning anybody could query the API for the position.
Using this technique, the researchers found several eligible types in London, including one at 10 Downing Street. Though the researchers note that "it could be a tech-savvy user having fun making their position appear as if they are in the seat of power."
But it didn't just leak location. 3Fun also gave away birthdays and private photos too. One other interesting twist: using the copious leaked data, the researchers estimate that 3Fun is a bit of a sausage fest, with men outnumbering women by four to one. So if you were hoping to have two ladies in your threeway, the odds are even less in your favour than you might have expected.
"We think there are a whole heap of other vulnerabilities, based on the code in the mobile app and the API, but we can't verify them," the researchers added.
Although the exploits are now fixed, perhaps the most alarming thing was the developers' response when the security flaws were disclosed: "Dear Alex, Thanks for your kindly reminding," the note began. Reminding!?
"We will fix the problems as soon as possible," the reply continued. "Do you have any suggestion?" Thankfully, Pen Test Partners provided some guidance and the app is now more secure.
We always suspected signing up to 3Fun would leave us feeling ultimately disappointed and a bit grubby in the morning. We just didn't realise it would have nothing to do with the rumpy-pumpy. µ
You could soon buy that ivory backscratcher on Marketplace in a few taps
Just in case you're too posh for Whole Foods
Borked butterfly mechanism is dead
AI nirvana in the cloud