@bobdahacker@infosec.exchange avatar bobdahacker , to random

🔓 Found critical vulns in Taimi (LGBTQ+ dating app) - all fixed, $10k bounty

What I found:

  • "Expiring" videos didn't expire, URLs stayed valid forever
  • Decrement attachment ID = anyone's private videos
  • Location feature bypassed photo permission checks (why upload a map preview image through the photo system??)
  • Fake system messages (made a Raid Shadow Legends sponsorship lol)

The good news: Taimi actually handled this right. Fast response, $10k bounty, everything fixed quickly. No lawyers, no threats.

This is how disclosure should work. Take notes, Lovense.

Full writeup: https://bobdahacker.com/blog/taimi-idor

@finnmyrstad@eupolicy.social avatar finnmyrstad , to random

💥Just out! Important case for accountability in the online advertising industry. Grindr just lost its appeal, as its data is deemed sensitive under European law. More details forthcoming:

https://www.forbrukerradet.no/news-in-english/grindr-loses-appeal/

kinkkong ,
@kinkkong@kinkycats.org avatar

@finnmyrstad

Reminder to all: Don't use a . They are all made to socially manipulate us, grab our most intimate personal information, and make money from our and our . Many are owned by one single US company, : https://en.wikipedia.org/wiki/Match_Group#Dating_services_owned

Use the instead to 🙂

@bobdahacker@infosec.exchange avatar bobdahacker , to random

🚨 Hacked India's biggest dating app Flutrr (backed by The Times of India). Critical security flaws expose millions of users.

Technical details:

  • Zero authentication checks on ANY API endpoint
  • Can read/send messages as any user via WebSocket
  • Access anyone's sensitive profile data, matches, conversations
  • Update any user's data by just changing UID in requests
  • Delete anyones account

Reported November 2024, they responded in March 2025 with a $100 gift card offer. Still unfixed.

Every single endpoint trusts client-provided user IDs without verification. This is as bad as it gets for a dating app handling sensitive personal data.

Full Technical Writeup: https://bobdahacker.com/blog/indias-biggest-dating-app-hacked

@heiseonline@social.heise.de avatar heiseonline , to random German

Ausweis plus Video-Selfie: Tinder bietet Identitätsnachweis an

Falsche Angaben, Fotos oder Fake-Profile sind große Probleme von Dating-Apps. Bei Tinder kann man das nun vermeiden – mit dauerhafter Datenspeicherung.

https://www.heise.de/news/Ausweis-plus-Video-Selfie-Tinder-bietet-Identitaetsnachweis-an-10341709.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon

kinkkong ,
@kinkkong@kinkycats.org avatar

@heiseonline

Dringende Bitte an alle: Nutzt keine s, schon gar nicht welche von (denen gehören Tinder, OkCupid, Archer und ca. 97 weitere).

https://de.wikipedia.org/wiki/Match_Group#Marken_(Auswahl)

Die wollen doch nur das eine!
Eure !

Teilt Eure Daten mit den Menschen, denen Ihr vertraut, mit Euren Liebsten, aber nicht mit !