Open in app

Sign in

Write

Sign in

Large Vulnerability in Minder Potentially Compromised a Quarter Million Users Data

Mohammed Davoodi
4 min readDec 23, 2017

--

Summary

Earlier this week I was inspecting my phones wifi traffic, and I took a look at the API calls Minder was making. I discovered that Minder had a large security vulnerability. I reported this issue to Minder’s team immediately, and they fixed it within a day.

I don’t know how long this vulnerability existed, but the potential amount of personal information that could have been stolen by hackers is severe because every active person on Minder has a discoverable profile. We’re talking about anyone who’s had a discoverable Minder account for the length of time that this vulnerability has existed. Its possible hackers could have compiled a list of ALL of Minder’s users and their personal information if this vulnerability was open for long enough.

Stolen Data

Here’s a list of personal information that was potentially stolen if you were or are a Minder user:

  • Your full name
  • Your birthday
  • Your exact location (GPS coordinates from Minder, which can be used to figure out your zip code).
  • Your phone number
  • Your email
  • Your Instagram account ID and access token
  • Your Facebook account ID and access token

Access tokens could have been used to gain access to your Instagram and Facebook accounts (thankfully, only to the scope in which Minder asks permission for). Your birthday, full name, phone number, and location could be used to steal your identity.

It’s also possible that anyone you have interacted with in any capacity on Minder (whether you’ve matched with them or not) now has a lot more information about you then you would’ve liked. We don’t know who else knew this vulnerability existed.

Resolution

The exploit has been patched but another concern is that Minder’s API still returns users full names, Facebook ID, and Instagram ID in API calls. This could be used to make a searchable address book of every single user on Minder.

Technical Details

The data that’s sent to and from Minder had significantly more information than needed. Take a look at an example API call I made to the potential matches API:

GET /api.minderme.co/v3/profiles/potential/360646
Host:api.minderme.co
Accept-Encoding:gzip, deflate
Connection:close
Accept:*/*
x-minder-is-app-v3:yes
User-Agent:Minder/68 CFNetwork/893.14.2 Darwin/17.3.0
Authorization:Bearer fAkEacCeSsTok3n
Accept-Language:en-us[
    {
        "id": 1,
        "name": "Mohammed Davoodi",
        "first_name": "Mohammed",
        "last_name": "Davoodi",
        "email": "myemailaddress@gmail.com",
        "locale": "en_US",
        "country": "US",
        "gender": "male",
        "userId": null,
        "greeting": "😊",
        "aboutMe": "Worlds most eligible bachelor.",
        "facebookId": "9001",
        "discoverable": true,
        "occupation": "",
        "education": "undergraduate_degree",
        "flavor": "Just Muslim",
        "age": 100,
        "birthday": "1904-01-15T00:00:00.000Z",
        "timezone": "-8",
        "facebookVerified": true,
        "minAge": 20,
        "maxAge": 41,
        "ethnicity": null,
        "languages": [
            "English",
            "Urdu"
        ],
        "photos": [
            {
                "id": "1",
                "url": "https://minder-photos.s3.amazonaws.com/1.jpg",
                "width": 720,
                "height": 719,
                "source": "facebook-s3"
            },
            {
                "id": "2",
                "url": "https://minder-photos.s3.amazonaws.com/2.jpg",
                "width": 1365,
                "height": 1365,
                "source": "facebook-s3"
            }
        ],
        "likes": null,
        "lastLoginDate": "2017-12-21T19:03:03.204Z",
        "createdAt": "2017-12-21T06:10:10.290Z",
        "updatedAt": "2017-12-21T19:03:03.204Z",
        "display_location": "California, US",
        "hometown": null,
        "religiosity": "2.9487180167616014",
        "reviewDate": "2017-12-21T14:46:02.972Z",
        "approved": true,
        "rejected": false,
        "firstTime": false,
        "admin": false,
        "accessToken": "fAcEb00kAc3ssT0k3n",
        "locationUpdatedAt": "2017-12-21T14:38:31.695Z",
        "location_point": {
            "type": "Point",
            "coordinates": [
                -1.000000000000,
                1.0000000000000
            ]
        },
        "premium": false,
        "premiumTransactionId": null,
        "locationPreference": null,
        "ethnicityPreference": null,
        "flavorPreference": null,
        "educationPreference": null,
        "premiumExpirationDate": null,
        "telegramsCount": null,
        "instagramId": 1,
        "instagramAccessToken": iNstAgramAcessToken,
        "phoneCountry": "US",
        "phoneCountryCode": 1,
        "phoneNumber": "123456789",
        "selfie": "https://minder-photos.s3.amazonaws.com/images/selfie.jpg",
        "rejectedCount": null,
        "familyOrigin": [
            "USA"
        ],
        "height": null,
        "marital": null,
        "smoking": null,
        "drinking": null,
        "children": null,
        "traits": null,
        "banned": null,
        "bannedBy": null,
        "banReason": null,
        "halalMeatOnly": null,
        "idealMaritalTiming": null,
        "familyOriginPreference": null,
        "instantMatchesCount": null,
        "miles": 39,
        "hasLocation": true
    },
    {...}
]

Any API that sent and received user data had this problem. I got the same result with hitting their history API and their matches API.

Minder will only have any of the personal information you gave it when you signed up. If you didn’t use Facebook or Instagram to sign up or login, those accounts should be safe.

The way a hacker could’ve gathered user data is by making a minder account and using the discovery API to discover as many profiles as possible. He could leave this script on for a period of weeks or months adding new users as they joined the platform.

Minder’s Response

We won’t know the true impact of this until Minder investigates to see how long this vulnerability existed. The developer I spoke with said they were investigating the scope of the breach. I’m hoping they will be quick and transparent to notify users about the implications of this vulnerability and the potential loss of their data.

I’m really surprised by the severity of this vulnerability. This isn’t something I found by exploiting a bug, it’s something that was just there. It’s like if a bank left their safe door open. I’m not a security expert at all, and this wasn’t something that only a security expert could’ve found. A freshman Computer Science student who saw the data Minder’s API returned would’ve known something was wrong.

The severity of the vulnerability also leads me to doubt how secure the platform is overall. If a vulnerability as easily detectable as that existed, I’m terrified of the more subtle vulnerabilities that could be on their platform. Vulnerabilities that could be found by someone who was actually trying.

Now don’t get me wrong, I love Minder, and I use it almost every day. But this sort of vulnerability scares me. It’s an amateur hour mistake, not something I’d expect from one of the biggest Muslim dating platforms with over a quarter million users.

Security
Vulnerability
Dating
Muslim
Data Breach

--

--

Mohammed Davoodi

Written by Mohammed Davoodi

84 Followers

CEO @Soteriaio, Formerly Founder & CEO @Mohamicorp (Acquired by Appfire), Flight Software Engineer @SpaceX, Software Developer @Amazon, @virginia_tech Alumni

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams