A security lapse at dating app Raw publicly exposed the personal data and private location data of its users, TechCrunch has found.<\/p>\n
The exposed data included users\u2019 display names, dates of birth, dating and sexual preferences associated with the Raw app, as well as users\u2019 locations. Some of the location data included coordinates that were specific enough to locate Raw app users with street-level accuracy.<\/p>\n
Raw, which launched in 2023, is a dating app<\/a> that claims to offer more genuine interactions with others in part by asking users to upload daily selfie photos. The company does not disclose how many users it has, but its app listing on the Google Play Store notes more than 500,000 Android downloads to date.<\/p>\n News of the security lapse comes in the same week that the startup announced a hardware extension of its dating app, the Raw Ring, an unreleased wearable device<\/a> that it claims will allow app users to track their partner\u2019s heart rate and other sensor data to receive AI-generated insights, ostensibly to detect infidelity.<\/p>\n Notwithstanding the moral and ethical issues of tracking romantic partners<\/a> and the risks of emotional surveillance<\/a>, Raw claims on its website and in its privacy policy that its app, and its unreleased device, both use end-to-end encryption<\/a>, a security feature that prevents anyone other than the user \u2014 including the company \u2014 from accessing the data.<\/p>\n When we tried the app this week, which included an analysis of the app\u2019s network traffic, TechCrunch found no evidence that the app uses end-to-end encryption. Instead, we found that the app was publicly spilling data about its users to anyone with a web browser.<\/p>\n Raw fixed the data exposure on Wednesday, shortly after TechCrunch contacted the company with details of the bug.<\/p>\n \u201cAll previously exposed endpoints have been secured, and we\u2019ve implemented additional safeguards to prevent similar issues in the future,\u201d Marina Anderson, the co-founder of Raw dating app, told TechCrunch by email.\u00a0<\/p>\n When asked by TechCrunch, Anderson confirmed that the company had not performed a third-party security audit of its app, adding that its \u201cfocus remains on building a high-quality product and engaging meaningfully with our growing community.\u201d<\/p>\n Anderson would not commit to proactively notifying affected users that their information was exposed, but said the company would \u201csubmit a detailed report to the relevant data protection authorities under applicable regulations.\u201d<\/p>\n It\u2019s not immediately known how long the app was publicly spilling its users\u2019 data. Anderson said that the company was still investigating the incident.\u00a0<\/p>\n Regarding its claim that the app uses end-to-end encryption, Anderson said Raw \u201cuses encryption in transit and enforces access controls for sensitive data within our infrastructure. Further steps will be clear after thoroughly analyzing the situation.\u201d\u00a0<\/p>\n Anderson would not say, when asked, whether the company plans to adjust its privacy policy, and Anderson did not respond to a follow-up email from TechCrunch.<\/p>\n TechCrunch discovered the bug on Wednesday during a brief test of the app. As part of our test, we installed the Raw dating app on a virtualized Android device, which allows us to use the app without having to provide any real-world data, such as our physical location.<\/p>\n We created a new user account with dummy data, such as a name and date of birth, and configured our virtual device\u2019s location to appear as though we were at a museum in Mountain View, California. When the app requested our virtual device\u2019s location, we allowed the app access to our precise location down to a few meters.<\/p>\n We used a network traffic analysis tool to monitor and inspect the data flowing in and out of the Raw app, which allowed us to understand how the app works and what kinds of data the app was uploading about its users.\u00a0<\/p>\n TechCrunch discovered the data exposure within a few minutes of using the Raw app. When we first loaded the app, we found that it was pulling the user\u2019s profile information directly from the company\u2019s servers, but that the server was not protecting the returned data with any authentication.<\/p>\n In practice, that meant anyone could access any other user\u2019s private information by using a web browser to visit the web address of the exposed server \u2014 This kind of vulnerability is known as an insecure direct object reference, or IDOR, a type of bug that can allow someone to access or modify data on someone else\u2019s server because of a lack of proper security checks on the user accessing the data.<\/p>\n As we\u2019ve explained before<\/a>, IDOR bugs are akin to having a key to a private mailbox, for example, but that key can also unlock every other mailbox on that same street. As such, IDOR bugs can be exploited with ease and in some cases enumerated, allowing access to record after record of user data.<\/p>\n U.S. cybersecurity agency CISA has long warned of the risks that IDOR bugs present, including the ability to access typically sensitive data \u201cat scale.\u201d As part of its Secure by Design<\/a> initiative, CISA said in a 2023 advisory<\/a> that developers should ensure their apps perform proper authentication and authorization checks.<\/p>\n Since Raw fixed the bug, the exposed server no longer returns user data in the browser.\u00a0<\/p>\n<\/div>\nHow we found the exposed data<\/strong><\/h2>\n
api.raw.app\/users\/<\/code> followed by a unique 11-digit number corresponding to another app user. Changing the digits to correspond with any other user\u2019s 11-digit identifier returned private information from that user\u2019s profile, including their location data.<\/p>\n![\"a](\"https:\/\/techcrunch.com\/wp-content\/uploads\/2025\/05\/raw-app-exposed-data-location.png\")