Dating apps are a trove of deeply personal information, where folks go to meet a new partner or otherwise. Security is essential, as people share private information and personal conversations; data breaches affecting dating apps always have severe consequences.

And that’s exactly what happened to the Feeld dating app, potentially compromising the data of its millions of users through a series of vulnerabilities discovered by security research firm, Fortbridge.

feeld dating app version history app store

What Happened to the Feeld Dating App?

Fortbridge, a penetration testing company, was tasked with extensively examining the Feeld dating app, probing for weaknesses and vulnerabilities that could expose users' data.Fortbridge’s extensive blogon the process revealed eight vulnerabilities with the potential for data theft.

It’s important to note that while Fortbridge found a series of issues, the vulnerabilities were discovered during an ethical hacking process. There is no indication that malicious hackers have taken advantage of the vulnerabilities.

Messages intercepted from Feeld app.

In early 2024, Fortbridge beganpenetration testingthe Feeld dating app. They quickly learned how easy it was to access information they should not have access to. On March 6th, Fortbridge presented its findings to Feeld. Before publishing a blog post expounding on the many vulnerabilities, Feeld asked Fortbridge to delay publication so they could address the software bugs. On August 16th, Feeld wrote to Fortbridge that the bugs had been addressed and that they may publish the blog post.

However, after speaking with Feeld directly, we learned that vulnerabilities were fixed as early as May 2024, but there was a communication lapse. Speaking to MakeUseOf, a Feeld spokesperson said:

We take full responsibility for this communications lapse, which is being reviewed internally to address and rectify our policies moving forward, to ensure we’re always communicating, and doing so quickly. Since March, changes have been implemented with our engineering teams to ensure future communications with our ethical hacking community are timely and accurate.We want to assure our Members that there is no evidence that any breach took place or that any private Member information was accessed by bad actors. To be very clear: the vulnerabilities detected earlier this year by Fortbridge have been resolved, verified so by trusted third party, and the report poses no current threat to Members’ profiles or the security of their personal information.

Despite remedying the vulnerabilities, Feeld failed to mention anything regarding security updates in its version history notes in the App Store or Play Store.

Feeld explained that because most of these fixes were focused on the service backend, the vulnerabilities and fixes weren’t included in the front-facing version history. This is understandable, but I still contend that issues of this nature should have been disclosed.

What Information Could Hackers Gain if the Vulnerabilities Were Exploited?

Feeld’s bugs made it easy for hackers to access access information despite not having permission to do so. This vulnerability is calledbroken access control, and it’s one of the most common and devastating vulnerabilities found in applications.

By exploiting this vulnerability, a hacker could access sensitive user information, such as photos, videos, messages, age, sexual orientation, and location.

What’s most surprising is that Fortbridge used what most would consider basic security and networking software to access the data. To access the information, researchers at Fortbridge used network proxy tool Burp Suite to intercept data sent from Feeld servers. Once intercepted, the researchers found it incredibly simple to access a host of information that shouldn’t have been available, ranging from sensitive user data to private messages and pictures to using the intercepted data to push further into the account.

Along with accessing photos and videos (even if these sensitive photos were set to disappear after 5-15 seconds), researchers could also read messages between users and send messages on a user’s behalf, giving them full control of users' profiles. Speaking toThe Register, application security specialist Sean Wright gave a damning indictment of the Feeld app’s security:

A lot of information used within this app is going to be incredibly personal. These vulnerabilities could be leveraged by all types of nefarious actors, from a jealous ex, to a stalker, to organized criminals leveraging blackmailing-type scams.

The ability to read other people’s messages and attachments is especially concerning. These will be incredibly personal and private. To make matters worse, it doesn’t appear to be complicated to be able to exploit these vulnerabilities.

Have Feeld Fixed the Vulnerabilities?

Feeld confirmed to MakeUseOf that its vulnerabilities were fixed as early as May 2024 and verified by a third party. The unfortunate communication lapse brought Feeld’s vulnerabilities into the public domain, but we’re assured they’re resolved.

That said, companies should be transparent about vulnerabilities affecting users, especially when dealing with sensitive personal information. There is no indication Feeld’s data was breached—but this story would be a very different read if it was, and the vulnerabilities were there to be exploited. It’s just lucky they weren’t, and a pentesting team got there first.

If you’re worried about hackers gaining access to your information, we recommend deleting the application and usingone of the many other dating apps on the market.