Trump-Themed Dating App Found Leaking Users’ Private Chats
A dating app for President Donald Trump supporters is apparently leaking its users data, including the private messages.
The app is called Donald Daters and it launched on Monday with the goal of helping politically conservative singles connect. “You can message each other privately right inside of the app,” the website for it claims.
But according to French security researcher Robert Baptiste, the app launched with a major security flaw; the database that stores all the user information is actually exposed on the open internet.
“You should not use this app,” Baptiste said from his Twitter account, which goes by the moniker Elliot Alderson. By accessing the database, he was able to collect profile data, including names, photos, personal messages, and the digital access tokens to log into their accounts. He even claims to have the ability to delete the app’s data.
To prove his point, he tweeted snapshots of the private messages he pulled from the database, in addition to user profile information. PCMag had a chance to examine a log taken from the database, and it did appear to show chats from actual users over the platform along with their profile pics.
I made a small proof of concept to show how the database of the Donald Daters app is vulnerable. With this POC I can:
– see all private messages
– see all user info
– delete what I want: a message, an user, the all database, … pic.twitter.com/7doErhzYdY
— Elliot Alderson (@fs0c131y) October 15, 2018
The developers of Donald Daters did not immediately respond to a request for comment. But Baptiste told PCMag the app’s database was simply misconfigured, which should make the problem easy to fix. By late Monday, it appeared the app’s developers had secured the database.
Fortunately, Donald Daters just launched, so there probably isn’t a large number of sensitive messages to leak. But aside from the exposed database, the dating app suffers from its share of software bugs. PCMag tried it and noticed the app took several tries to register a profile account. At one point, the app also displayed a warning saying that the database had “reached its peak connections limit.”
Editor’s note: This story has been updated to say the database appears to have been secured.