Love Threesomes? What You Need to Know About Security Flaws Found in 3Fun Dating App

Flushing out sexual stigma from legit privacy concerns.

Like other dating apps before it, 3Fun was hit with allegations of serious security flaws.

The 3Fun dating app is specifically intended for arranging threesomes. It offers some interesting and appealing features: users can upload private photos that only their matches can see, and a photo verification system aims to reduce catfishing.

The app is also LGBTQ-friendly: its description on the App Store states “Whether you’re a gay, lesbian, bisexual, pansexual, polysexual, queer or transgender, we’ve got you covered!” 

However, all that glitters is not gold.

Recently, the Internet security firm Pen Test Partners tested the app and published an article about its security flaws, claiming that very personal data of its users, such as location and birthday, were exposed.

Dating apps and their security problems

Pen Test Partners had already found security flaws in other popular dating apps: Grindr, Romeo, and Recon. The company’s white-hat hackers were able to reveal the location of thousands of users, using a procedure called “trilateration.”

Using spoofed locations, they could trick a feature that shows potential matches near the user. This way, they were able to retrieve the exact location of millions of singles looking for love.

As for 3Fun, the company claims that “this one really takes the biscuit: probably the worst security for any dating app we’ve ever seen.” Pen Testing Partners’ staff found out that the sexy threesome app just leaks the GPS coordinates of any user, without the need for trilateration.

The white-hat hackers discovered that the 3Fun servers send to the user’s app a GET request, that contains lots of sensitive data: latitude, longitude and birthday. They were able to retrieve easily even the private photos, which were only supposed to be seen by the user’s matches. 

Pen Test Partners could even locate some 3Fun users at the White House and the U.S. Supreme Court, but they reminded their readers that it could be just a tech prank. Probably, a tech-savvy user rewrote his or her location for fun.

Technically, the app offers a feature to hide the latitude and longitude of the user, to avoid giving away a precise location. However, Pen Test Partner discovered that choosing this option will only filter user data in the app, not on the server. This way, a hacker could still achieve the exact position of the user through the API. 

The company claims that the leakage of those personal data “can be used to stalk users in near real-time,” potentially exposing them to criminals or relationship and career issues. 

That’s why Pen Test Partners contacted immediately 3Fun, to urge its developers to fix the security issues. Luckily, the threesome app acted quickly to resolve the issues and, on September 1, its staff published a blog post explaining to the users what was going on with their privacy:

After the security vulnerabilities were reported inside of the dating app, 3Fun, immediate action was taken by developers to correct the issue. […] Users’ data is not hacked or disclosed.

The developers released a new API to replace the unsafe one, so the users can keep having fun without worries.

Security issues or sexual stigma?

In 2017, the team of Internet of Dongs, an online project focused on improving teledildonic security, accused Pen Test Partners of sensationalizing the security issues of a smart sex toy, the Svakom Siime Eye. 

According to Internet of Dongs, the renowned UK-based security firm “takes a barely contained juvenile tone of incredulity that people would want to use such a device,” and approaches the sex toy topic in a judgemental way.

RenderMan, Internet of Dongs’ founder, wrote in a blog post that, while the Siime Eye truly had some serious security issues, many of the claims made by Pen Test Partners were exaggerated.

He invited the company to join his project, to actually help sex toy vendors to improve their products’ privacy and security rather than perpetuating sex-related stigma. Since then, RenderMan has examined other flaws in Pen Test Partners’ research about Internet-connected sex toys.

The question lingers regarding the motivation to investigate and publicize such security flaws. Is the concern about the safety of teledildonics and sex apps legit? Or are the sensational media headlines and attention that come with it the true appeal?

Image sources: App Store