A misconfiguration in the admin dashboard of Unjected, a dating site built for people who do not want to get vaccinated against Covid-19, has left sensitive data of its entire userbase compromised, the media reported earlier this week.
A cybersecurity researcher going by the name GeopJr recently reached out to the Daily Dot and demonstrated that the misconfiguration allowed him, or anyone else who knew where to look, to become the site’s administrator.
GeopJr demonstrated that the site was published live with the “debug mode” turned on. This is a mode used by software developers while the site is still under construction, and as such, comes with a wide array of sets and features. Such a mode should never be turned on by default, in a deployed application, the publication stresses.
Accessing the database
As an admin, the user can change pretty much anything on the site, add or remove pages, edit, or delete, all of the posts, as well as the site’s backups.
The admin also has access to the entire user database and all of the details listed in there which, in this particular case, include names, dates of birth, email addresses, and (optionally), postal addresses. This data can be abused for identity theft (opens in new tab), for example.
The dating site counts some 3,500 users, whose sensitive data have now been exposed.
It may be a small site, but its ambitions are quite big – as dating intermediation is just one of the services offered on the site, another one being “fertility”, where users can donate their semen, eggs, or breastmilk. There’s also a “blood bank” service, the publication has found, where people can donate blood. Both of these services are advertised as “mRNA-free”.
The Unjected app is currently only available on the Google Play Store, as it was kicked from Apple’s App Store for violating the company’s Covid-19 content policies. On Android, it appears to have more than 10,000 downloads.
Via: The Daily Dot (opens in new tab)