A critical security lapse in the popular dating app Raw exposed sensitive user data, including names, birthdates, sexual preferences, and precise location information, TechCrunch reports.
The vulnerability, now fixed, allowed anyone with a web browser to access user data directly from the app’s servers without authentication.
Launched in 2023, Raw promotes “authentic” connections through daily selfies and has over 500,000 downloads on Android. However, TechCrunch discovered that Raw was leaking user data through a flaw known as an Insecure Direct Object Reference (IDOR) — a common but dangerous security issue that permits unauthorized access to other users’ records.
Raw co-founder Marina Anderson confirmed the flaw was patched after being contacted by TechCrunch and claimed the company has “implemented additional safeguards.” However, Anderson also admitted the app has not undergone a third-party security audit and declined to commit to notifying affected users.
Despite claiming to use end-to-end encryption, TechCrunch found no such protection in place. Instead, the app used basic encryption in transit and lacked key access controls. Raw now says it’s investigating the issue and will report the incident to the relevant data protection authorities.
