Security researchers at vpnmentor have discovered a vulnerability in JCrush that could have be used to access private user data. Here are some hints on this case.
Advertising
JCrush is a dating app (similar to Tinder) but for people of Jewish faith and is used worldwide. JCrush is part of the Crush Mobile family of dating apps (1.5 million users) acquired by Northsight Capital, Inc. in 2018.
(Source: Pexels Markus Spiske CC0 Lizenz)
The hack activists Noam Rotem and Ran Locar of the vpnMentor research team have discovered a data leak in a Mongo database during the investigation of the app. It contained 18,454 GB of unencrypted data. These records could be used to retrieve full names, e-mails, pictures, private (and sometimes explicit) messages, and more about the people involved.
After the data leak was discovered on May 30, 2019, vpnmentor contacted JCrush on May 31, 2019. The data leak was closed on the same day, but so far neither JCrush nor Northsight Capital, Inc. has provided any feedback. Details about this data leak can be found here.