Users of Feeld, a dating app for alternative relationships, may have had their sensitive data accessed due to cybersecurity vulnerabilities uncovered by a British firm.
Feeld, a UK-registered app known for its popularity among non-monogamous, queer, and kinky users, has seen significant financial success recently. However, this success has been overshadowed by revelations from a British cybersecurity firm, Fortbridge, which identified severe security weaknesses in the app’s system.
Fortbridge’s researchers conducted ‘pentesting’ (penetration testing) to find these vulnerabilities. They discovered that users’ messages, private photos, and details of their sexuality could be accessed or even edited without needing a Feeld account. This could be done if a hacker obtained a user’s ‘stream user ID’, which is easily visible on user profiles. Furthermore, time-limited photos and videos could be retrieved and viewed indefinitely via a link accessible to the sender.
The flaws also enabled hackers to change profile information, including names, ages, and sexual orientations. It was even possible to view other users’ matches and force a profile to ‘like’ another. Highlighting the gravity of these issues, Adrian Tiron, managing partner at Fortbridge, stated, ‘Although these aren’t the most sophisticated bugs we’ve found, they are certainly some of the most impactful due to Feeld’s large user base.’
In response, Feeld addressed these concerns within two months, asserting that no user data had been breached. However, it remains unclear how long the vulnerabilities existed before being reported by Fortbridge. Feeld decided against publicly sharing information about these flaws to avoid inviting malicious activity but promised direct communication with affected members about the resolutions.
Alex Lawrence-Archer, a solicitor at the data rights specialist law firm AWO, noted that Feeld could face repercussions from data regulators or users if it is proven that data was accessible. ‘If this is right, that personal data, including messages and private photos, was exposed,’ he said, ‘there’s a strong argument that it’s in breach of the core GDPR principle that data must be processed securely.’ This raises additional concerns, particularly for LGBTQ+ users in countries where homosexuality is outlawed.
The Information Commissioner’s Office (ICO) has not received reports of a data breach at Feeld. Feeld stated it did not inform the regulator because it had no evidence of data access and was awaiting third-party confirmation of its security measures. It has since rectified the issues identified by Fortbridge and is open to future penetration testing to ensure platform security.
Feeld’s quick resolution of the security flaws is a step towards safeguarding user data. However, the potential implications for user privacy underscore the necessity for robust cybersecurity measures in digital platforms.
