Raw Dating App Exposes User Data in Major Security Flaw
The Raw dating app, known for its unique approach to daily selfie-based matchmaking, suffered a major security lapse that left the personal data and precise locations of its users exposed online.
Discovered by TechCrunch during a brief test of the app, the Raw dating app data leak allowed anyone with a web browser to access private profiles by manipulating user IDs in the app’s URL. Exposed data included names, birth dates, dating preferences, and GPS coordinates revealing exact user locations.
Raw, which launched in 2023 and boasts over 500,000 downloads on Google Play, claimed on its site and privacy policy to use end-to-end encryption. However, an analysis of the app’s traffic revealed no such protection.
Security Hole and Swift Fix
The vulnerability stemmed from an insecure direct object reference (IDOR), a common but critical bug that bypasses authentication checks. With this flaw, users’ information could be accessed by simply changing the numerical user ID in a server request URL.
Following TechCrunch’s report, Raw quickly patched the issue. Co-founder Marina Anderson confirmed via email that the exposed endpoints had been secured and new security measures implemented. However, the company admitted it had not yet conducted a third-party security audit and did not commit to notifying affected users.
“We’ve implemented additional safeguards and are preparing a report for data protection regulators,” Anderson stated.
Privacy vs. AI Ambitions
The timing of the breach coincides with Raw’s announcement of its upcoming wearable, the “Raw Ring”—a smart device designed to track a partner’s heart rate and biometric signals to generate AI-driven relationship insights.
Critics argue the wearable poses serious ethical concerns, potentially enabling emotional surveillance and breaches of intimacy. Despite Raw’s assurances of end-to-end encryption, experts warn that inadequate security practices raise red flags for any tech collecting sensitive relationship data.
How the Data Leak Was Found
TechCrunch set up a test account on an Android emulator, spoofed its location to Mountain View, California, and used a network analyzer to inspect app traffic. Within minutes, the unprotected server revealed profile data for any user when accessed through a specific URL path.
Example: api.raw.app/users/[11-digit ID]
This loophole allowed access to personal and location data tied to any valid user ID—a textbook case of an IDOR bug, as flagged in past advisories by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
Lessons and Implications
Though Raw has since resolved the flaw, questions remain about its broader security practices and whether it plans to amend its privacy policy or conduct future audits. With increased public scrutiny over how apps manage user data—especially in the realm of dating and biometrics—companies like Raw must prove they can balance innovation with responsibility.
Users concerned about the breach should monitor for updates from Raw and consider limiting location permissions or disabling the app until clearer safety commitments are made.
