A new mobile app described as ‘Yelp for Conservatives’ is leaking user data and business reviews, according to a French security researcher. The app, 63red Safe, was launched this weekend in the App Store and Play Store.
63red Safe describes itself as a service where users can read “reviews of local restaurants and businesses from a conservative perspective”, ensuring “that you are safe when you shop or eat”, reports ZDNet. The app was created by Scott Wallace, after a number of incidents where conservatives were forced to leave or take off ‘Make America Great Again’ stuff if they wanted to eat in a restaurant or get into businesses.
Leak
However, Baptiste Robert, a French security researcher, is leaking most of his data from the app. According to Robert, the source code of the app contains the credentials of its author, as well as a list of API endpoints with which it connects to store or retrieve data. That API doesn’t use authentication, Robert says. This means that anyone can look at the source code, get the API endpoints and then collect data from the app’s server.
Using this technique, the researcher was able to establish that, since its launch last weekend, 4,466 users had registered and created profiles. Each profile could also be used to collect information such as username, email address, avatar, number of followers and something called a ‘hot score’.
Other API endpoints also allowed Robert to block users and modify the database logs. Unauthorized intrusions could therefore be concealed. ZDNet asked Robert if he could also edit user reviews for certain restaurants or businesses. “I didn’t test that, but I could do almost anything,” Robert replied.
Other app
Robert examined the app because he had previously found a similar leak in another mobile app for American conservatives. “A few months ago, I analysed the Donald Daters-apps, three hours after he appeared. I thought it would be fun to analyze the same kind of “Donald Trump” related app.”
Robert did not inform the company behind the app of his findings, which he shared publicly on Twitter. “Let’s just say I don’t really like Trump fans”, he explains. However, ZDNet has contacted the company and its founder so that the company can take action and update its app to protect users’ data.
“We take this very seriously and have already taken action to provide extra protection for our data,” said a spokesperson. “The safety of our users and conservatives in general is our greatest concern, and we will continue to improve our systems in every possible way to ensure their safety,” the company further states that Robert has never been able to adapt data to the servers.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.