2025-09-05 –, Track 2
This talk explores the importance of implementing robust access controls in GraphQL and REST APIs and the severe consequences when these controls are not properly enforced. GraphQL, a flexible data query language, allows clients to request exactly the data they need, but without proper access control mechanisms, sensitive data can be easily exposed. Using the Feeld mobile dating app as a case study, we will dive into a critical security review of how the lack of access controls in GraphQL and REST endpoints led to the exposure of users' personal data, including sensitive photos, videos and private messages. This session will highlight common access control vulnerabilities in GraphQL and REST implementations , real-world examples of security lapses, their impact and remediation.
We dive into a critical security review of the Feeld dating app.
Feeld, known for its unique features that cater to a wide range of preferences and relationships, unfortunately had serious security vulnerabilities that exposed users' private data, including sensitive photos and personal information.
Here’s what we uncovered:
1- Profile information was accessible to non-premium users.
2- Other people's messages could be read without proper authentication.
3- Photos and videos from chats were exposed unauthenticated.
4- The ability to delete, recover, and edit other people's messages.
5- Profile information could be updated by anyone.
6- Unauthorized likes from any profile.
7- Messages could be sent in other users' chats.
8- Viewing others' matches without permission.
Bogdan Tiron has explained each vulnerability in detail, providing insights into the security lapses that put user data at risk.
Read the full blog post to learn more about these issues and the importance of implementing stronger security measures for mobile apps:
https://fortbridge.co.uk/research/feeld-dating-app-nudes-data-publicly-available/
This case study got featured in The Guardian:
https://www.theguardian.com/business/2024/sep/17/dating-app-feeld-personal-data-cybersecurity
Bogdan Tiron is a seasoned security consultant with over 10 years of experience specializing in application security. He has a proven track record of enhancing security measures for leading organizations, including bet365, JPMorgan Bank, GFK, HSBC, Lloyds Bank, and WorldRemit. Throughout his career, Bogdan has held various roles, including application security consultant, pentester, security architect, and DevSecOps specialist. Four years ago, recognizing a gap in quality within the pentesting industry, he co-founded FORTBRIDGE, a cybersecurity consulting company that offers pentesting, phishing, and red-teaming services to clients seeking to enhance their security posture. Passionate about staying ahead of emerging threats, Bogdan is dedicated to fostering a culture of security within organizations and empowering teams to integrate security practices seamlessly into their workflows.