Feeld Dating App API

Bugs belong in fields, not Feeld. However, the polyamorous dating app recently was found to have a variety of vulnerabilities, caused primarily by Broken Object Level Authorization flaws.

These vulnerabilities allowed for the disclosure of profile information to non-premium users, as well as access to other people’s messages, matches, and even photos. 

Users could access other people’s chats, including deleted chats, without authentication and even send messages as other users. They could also do things like update someone else’s profile information and get “Likes” from any user profile.

Vulnerabilities

The disclosure of profile information was made possible because of a GraphQL endpoint that revealed too much information to non-premium users. The vulnerabilities fall under the category of IDOR/BOLA- Indirect Object References and Broken Object Level Authorization.

In an API call, changing the streamUserId values reveals messages of other profiles. 

The parameter of a victim’s streamUserId value can be disclosed in various API calls, including the GraphQL endpoint. 

The streamUserId value is a Universally Unique Identifier (UUID) which would be complex enough to be considered good security- except that it’s being disclosed in various calls.

The attachments of other users’ chat history could also be disclosed, including time-limited photos. This means the photos are kept and stored in a manner that can easily be accessed via API call, without verifying that the requesting API caller is the owner of the chat..

Every message has a unique id (UUID). Even deleted messages have their own unique ID, through which an attacker can recover it, delete or edit messages from any user’s profile and even update their profile information, view matches, give likes, and more. But again, these UUIDs are exposed and easily copied.

Impacts

The data exposure was only discovered recently but has been in effect for almost half a year. Users of the app have been informed that these vulnerabilities have been remedied, but many are still left uneasy, and wondering whether their data could have been breached during this time. 

Even if their dating app profiles are safe- for now- the implications of these vulnerabilities, and how long they took to be fixed, are staggering. 

Despite how critical they are for applications and internet functions, APIs are still largely misunderstood and as a result, many companies still lack adequate, up-to-date API security, even tech giants. As attacks grow more advanced with the development of AI and other technologies that give attackers increased automation capabilities, we will continue to see data exposures and vulnerabilities like this one, which could lead to catastrophic breaches.