Dating App Raw Exposes User Data, Including Location and Sexual Preferences

Raw app leaked user locations and personal data due to a major security flaw, raising concerns over its new AI-powered relationship tracking device.

A serious security flaw in dating app Raw exposed users’ personal and location data to anyone online, as first revealed by TechCrunch. The exposed data revealed users’ names, birthdates, sexual preferences, and exact GPS coordinates allowing location tracking down to street-level.

Raw launched in 2023 reached more than 500,000 downloads while it encourages users to build genuine relationships by requiring daily selfie uploads.

TechCrunch notes that this week, the company also announced a wearable device, the Raw Ring, claiming it can monitor a partner’s heart rate and offer AI-generated insights, potentially to spot cheating.

Despite claims of using end-to-end encryption, TechCrunch found no such protections. Their analysis showed that user data could be accessed freely through a browser using a known web address.

“All previously exposed endpoints have been secured, and we’ve implemented additional safeguards to prevent similar issues in the future,” Raw co-founder Marina Anderson said via email to TechCrunch.

When asked, Anderson admitted the app hasn’t undergone any third-party security audits. She added the company is still investigating and will “submit a detailed report to the relevant data protection authorities under applicable regulations.”

However, TechCrunch notes that she did not confirm whether users would be notified individually, or if the privacy policy will be updated.

TechCrunch explains that this type of vulnerability found is known as an insecure direct object reference (IDOR)—a common but dangerous bug. This occurs when the app uses easily guessable identifiers, like numbers or file names, to control access to data.

For example, if a user’s profile is accessed by a URL with a number at the end (like /profile/123), an attacker could change that number to view someone else’s profile (e.g., /profile/124). Without proper security checks, they can exploit this and access or modify data they shouldn’t have access to.

The security researchers at TechCrunch detected the flaw through a test with simulated data and location which revealed the leak in just a few minutes. The flaw enabled users to access profiles by modifying a single number in the application’s web address before developers fixed the issue.

Despite the fix, concerns remain over Raw’s data practices and its new device’s potential for invasive surveillance.