@bobdahacker@infosec.exchange avatar bobdahacker , to random

🚨 Hacked India's biggest dating app Flutrr (backed by The Times of India). Critical security flaws expose millions of users.

Technical details:

  • Zero authentication checks on ANY API endpoint
  • Can read/send messages as any user via WebSocket
  • Access anyone's sensitive profile data, matches, conversations
  • Update any user's data by just changing UID in requests
  • Delete anyones account

Reported November 2024, they responded in March 2025 with a $100 gift card offer. Still unfixed.

Every single endpoint trusts client-provided user IDs without verification. This is as bad as it gets for a dating app handling sensitive personal data.

Full Technical Writeup: https://bobdahacker.com/blog/indias-biggest-dating-app-hacked