Donald Daters App hacked on the same day of the launch – what we could have done
Data leaks are in the news every day, but very rarely is the hacking technique explained. An analysis of the Donald Daters Apps hacking attack and some possible solutions on how to prevent this.
We have to admit it. Dating has changed more in the last six years than over the past 60.
In 2012 Tinder was created and since then there has been a proliferation of many others ‘’copies’’, such as Bumble, Zoosk, Match etc…
It’s easy to get started: create a profile, upload a few nice photos, provide the necessary information, such as email, date of birth, gender, and simply swipe – right or left – to choose the best match (hopefully mutual) and possibly have the next date set up on your calendar.
According to surveys, Tinder found that 71%of online daters consider political differences to be a deal breaker. Being a supporter of President Donald Trump can apparently be challenging. Given what he’s known for that not hard to believe.
With political sentiment running high, and even impacting the realm of dating apps, it is not surprising The Donald Daters App was released.
The ‘Donald Daters’ is a new dating app recently launched for Apple and Android devices with the objective to help Trump supporters meet and mingle on a platform free of any liberal backlash. Obviously, only supporters of Donald Trump can use the app, confirming once more that political beliefs matter when it comes to choosing a partner for that next date.
The app aims to: “Make America Date Again” and immediately after the launch, around 1600 users signed up. Apparently, an early success indicator. However, that early success quickly turned into a catastrophe.
On October 15, 2018, only a few hours after the release into the marketplace, The Donald Daters App CEO, Emily Monero confirmed a data leak.
According to news coverage, security researcher Elliot Alderson was able to find and download the complete list of 1600 users and associated sensitive information from the Donald Daters app platform.
The creators of the app has reportedly taken swift and decisive action to remedy the vulnerability and make all possible efforts to prevent it from happening again, but the damage has been done. A news article quotes their press release as: “Out of caution, we have suspended the chat service on the app while we implement new security protocols. We are also taking immediate action to engage a leading, independent cybersecurity firm to pressure test the system to ensure it is secure against other vulnerabilities.”
What happened?
In a full article published on Medium, the hacker explained in detail the process he followed to gain access to the data, included users’ names, profile pictures, device types, private messages and access tokens that can be used to log into their accounts. He also posted a small subset on Twitter.
This is not the first time
Dating apps have a history of hacks and data leaks, this is not a new phenomenon. Security researchers have revealed numerous exploits in several popular dating apps. These include Tinder, Badoo, Bumble, OKCupid, Mamba, Zoosk, Happn and Paktor, all available both on iOS and Android. Using security holes, attackers access users’ locations, their real names, login info, and message histories. They can even see which profiles users have viewed. This makes dating app users vulnerable and susceptible to blackmail in extreme cases.
Leaked data is not the only risk posed to users of dating apps and websites, and the Donald Daters app is not the only dating app victim of a breach. Breaking news from Barclays reported by the BBC found that an online dating site scam cost victims on average almost $3,500. The Barclays research found that thousands of people are regularly losing thousands of dollars from online dating scams.
Something to think about
So, the question is: “How many times do we need to read news about the data breach and hacked apps to understand that our privacy, data, reputation and, in the worst case, money, are at risk?”
Do we really need to do anything? The answer is “Yes, we do”.
In a recent report, Gartner confirmed cybersecurity an emerging problem, particularly if we consider that more than 50% of the global traffic comes from mobile devices.
These vulnerabilities are the result of poor security and lack of data encryption, which means exposure of private information such as users name, profile pictures, device type, private messages, email, can be used to take over entire private accounts.
By exploiting these vulnerabilities, the hacker is able to destroy the users’ anonymity by obtaining their personally identifiable information from the app. The implications of this is bleak.
After getting access to sensitive data, hackers are able to blackmail the victims and force them to pay to prevent their data, included personal photos, emails and private messages, from being shared on the internet.
Everybody knows there is a lack of true ownership in terms of app security. The Donald Trump Hacker Attack has shown how a misconfiguration in the app settings can open the back-front door. When your app handles critical unprotected data, it can be trivially exfiltrated by attackers.
As users, we tend to not consider security as a priority, but more as an optional, since we cannot immediately see benefits. On the other side developers are often in rush and can fall victim to skipping the implementation of security, but at what cost?
What happened for The Donald Daters was a ‘’kind’’ hacker attack executed more to prove how easy it is to penetrate and get data from an app, rather than a proper attack executed with malicious intentions.
Here is what Quixxi Product Manager Antonino La Rosa said in regards to the attack:
“The possibility to reverse-engineer an Android app is heavily underrated by the mobile industry itself. Also, the rush to deliver or the developers’ inexperience can be other key factors in delivering code affected by vulnerabilities. In this case, the mobile app leaked the full set of credentials needed to access the app backend and to violate the privacy of the users [pictures, chats, political party, dating preferences]. When it comes to personal data – and not just when there is money involved – it is very important to harden and reduce the attacking surface. A proper encryption of the values needed on the client side and a better implementation of server-side security could have prevented this security breach”.
Secure data by protecting your app
Beyond the news, we need to understand it is more important to take preventive action than fixing issues after the breaches. We need to proactively consider security and protection during the App development in the same way we care about users and customer’s safety.
Imagine a Ferrari without seatbelts.
Apps with vulnerabilities are exactly the same and what we try to do every time a hacking attack happens is trying to settle the seatbelts in, when the driver has already been injured.
It doesn’t make any sense, for users or app developers, if we build app security with a cavalier approach.
About Quixxi
Offering best-in-class mobile application security, Quixxi security protects app using military-grade encryption, antimalware protection and many more industry-leading features. Starting with App Assessment, followed by App Protection and App Supervise to protect app developers from piracy, IP theft, loss of user data, revenue loss, and hacking. So, while applications work as intended, your app becomes impervious to attacks by even the most committed of attackers.
Quixxi’s unique 360 degrees approach to app security helps prevent lapses and incidents and it’s as easy as drag and drop your app – and boom your app has been protected.
Is Your Mobile App Secure? Test your app with quixxisecurity
Connect with us to secure your mobile apps
Contact info@quixxi.com