I hacked a dating app (and how not to treat a security researcher)
alexschapiro.com570 points by bearsyankees a year ago
570 points by bearsyankees a year ago
Not excusing this is any way, but this app is apparently a fairly junior effort by university students. While it should make every effort to follow good security (and communication) practices, I'd not be too hard on them considering how some big VC funded "adult" companies behave when presented with similar challenges.
https://georgetownvoice.com/2025/04/06/georgetown-students-c...
I vehemently disagree. 'Well, they didn't know what they were doing, so we shouldn't judge them too harshly' is a silly thing to say. They didn't know what they were doing _and still went through with it_. That's an aggravating, not extenuating, factor in my book. Kind of like if a driver kills someone in an accident and then turns out not to have a license.
Still not excusing them, but these HN responses are very hypocritical.
US tech is built on the "go fast, break things" mentality. Companies with huge backers routinely fail at security, and some of them actually spend money to suppress those who expose the companies' poor privacy/security practices.
If anything, college kids could at least reasonably claim ignorance, whereas a lot of HN folks here work for companies who do far worse and get away with it.
Some companies, some unicorns, knowingly and wilfully break laws to get ahead. But they're big, and people are getting rich working for them, so we don't crucify them.
It’s also why other regulatory zones outside the US, with much stronger privacy laws like the EU, don’t seem to produce as much innovation, while the US and China keep churning out new stuff.
It’s a trade-off between shipping fast and courting risk. I’m not judging one over the other; it comes down to what you’re willing to accept, not what you wish for.
“Go fast, break things” was invented at places where the best developers worked on the world. Applying the mentality without great developers is not how great startups were made.
I'm not sure hypocritical is the right word as you have no idea who parent is, maybe it's Pope Bob for all you know
> They didn't know what they were doing _and still went through with it_
You don't know what you don't know; sometimes people can think they do know what they're doing and they just haven't encountered situations otherwise. We were all new to programming once; no one would ever become a solid engineer if they prevented themselves from building anything out of fear of doing something wrong that they did not account for out of lack of experience.
This is where the 'unknown unknowns' quote comes in useful. I don't know anything about blockchain technology, but I know that I don't know anything about it. When you make software which involves handling people's information your first thought should be 'do I know all I need to know about handling this information properly?', and your second thought should be 'do I really know all I need to know about handling this information properly?'.
+1: if you cannot do security, you have no business making dating apps. The kind of data those collect can ruin lives overnight. This is not a theory, here is a recent example: https://www.bbc.com/news/articles/c74nlgyv7r4o
When I was a student I was leading a project where we made a timeclock web software.
I enforced a no-login policy, because I didn't want potential users to even think about entering a password into a form on the website. I didn't trust myself or my group to handle it correctly, so I decided it was best to just side-step the problem. Naturally this made the application a lot less useful - but it was a student project, who cares.
Software engineering students have an obligation to ethics just like all other engineers. We need to think these things through, and decide if we even want to implement features. And we need to be thinking in terms of risk, not design.
Storing sensitive data is risky, even if you're really talented. Companies will try to put processes in place to mitigate that risk. But students are almost certainly not doing that, so they should be questioning if they should even be doing what they're doing in the first place.
I would agree with you. Dating app data might not be legally protected like some PII out there, but there are easily foreseeable bad consequences from compromised dating app data of any kind. Security should be accounted for from the very beginning.
If you cannot do security, you have no business making any app people use in significant numbers containing Personally Identifiable Information (PII).
Perhaps, like GDPR, HIPAA, and similar, any (web|platform)apps that contain login details and/or PII must thoroughly distance themselves from haphazard, organic, unprofessional, and (bad) amateurish processes and technologies and conform to trusted, proven patterns, processes, and technologies that are tested, audited, and preferably formally proven for correctness. Without formalization and professional standards, there are no standards and these preventable, reinvent-the-wheel-badly hacks will continue doing the same thing and expecting a different result™. Massive hacks, circumvention, scary bugs, other attacks will continue. And, I think this means a proper amount of accreditation, routine auditing, and (the scary word, but smartly) regulation to drag the industry (kicking-and-screaming if need by by showing using appropriate leadership on the government/NGO-SGE side) from an under-structured wild west™ into professionalism.
The claim that it should have come up in a government vetting process seems to be proof that one should publish one's own dating information before entrusting it to a site that might have lost it or worse might provide it to a government specifically.
Your statement similar to : If you cannot cook an egg on the normal pan without sticking problem, you should not serve food in chicken.
They are merely unconstructive statement, developer have free will, they spent time and money to make the app, customer spent time and money to use their app. If there are any mistakes, util you prove that they were intentional harm the customer - or - violating the contract of data safety between the app and the customer, they are free to keep their business. The free market will decide what will happen next.
And the link you gave as an example was just made nonsense. The victim was being fired from the position which worked for security of government because he did not have honesty from the start, did not inform that he use a dating app. With his private data in a dating app, even if they were not leaked: the data can be exchanged illegally in the background, which can lead to social engineering, harm the government and nation he is working for. Actually, that firm and the nation was lucky that his data was being leaked - on purpose by someone. It was his vault.
This is exactly why I think software engineering should require a licensing requirement, much like civil engineering. I get that people will complain about that destroying all sorts of things, and it might, yes, but fight me. Crap like this is exactly why it should be a requirement, and why you won’t convince me that the idea is not in general a good one.
While the idea is good, I'm not sure how this would get implemented realistically. The industry standards/audits are silly checkbox exercises rather then useful security. The biggest companies are often terrible as far as secure design goes. The government security rules lag years behind the SotA. For example how long did it take NIST to stop recommending changing passwords?
Civil engineering works well because we mostly figured it out anyway. But looking at PCI, SOX and others, we'd probably just require people to produce a book's worth of documentation and audit trail that comes with their broken software.
I worked on a project that was using federal tax information and had IRS 1075 compliance requirements. Those follow some version of NIST that was out of date at the time.
We had two security teams. Security and compliance. It was not possible to be secure and compliant, so the compliance team had to document every deviance from the IRS standard and document why, then self-report us and the customer to audit the areas where we were outside the lines. That took a dozen people almost a year to do.
All of that existed because a US state (S Carolina iirc) was egregiously incompetent and ended up getting breached. Congress “did something” about it.
This is why delegated authorities should be managing things instead of congress itself. Because congress has no idea what they're doing on technical topics generally.
There's no governing body that continually researches, vets and updates standards of security. There should be, honestly, but there isn't. Thats not true of professional engineering organizations, or medical boards, or the Bar Association etc.
They all update their recommendation and standards routinely, and do a reasonably good job at being professional organizations.
The current state of this as regards to the tech sector doesn't mean its impossible to implement.
Thats why all the usual standards (PCI, SOC2 in particular) are performative in practice. There's nothing that holds industry accountable to be better and there is nothing, from a legal stand point, that backs up members of the association if they flag an entity or individual for what would be effectively malpractice.
I feel like people who suggest governing bodies for this kind of stuff always imagine some perfect unicorn organization that makes perfect recommendations where as I usually imaging every UX turning into the worst possible 20x step process because of "regulations" and it will actually just be theater and not actually solve whatever problems it claims to.
I don't imagine some perfect unicorn organization myself.
I do imagine a technical organization that strives to do its best and would have sufficient scope to protect its members legally if need be, so members would be empowered to make the best decisions possible.
I mean, bridges collapse sometimes. It’s not really about making things perfect from the get go, it’s about making sure that the industry as a whole learns from mistakes. And I agree that some of the existing standards and audits are checkboxes at best, and actively suggesting problems at worst. But, we need to be evolving those actively anyways, that has to be baked into the DNA of whatever this licensing scheme ends up being.
Anyways, I’m not the one who should be deciding the specifics here, it should be a collaboration between lots of different parties, even if I may have a seat at that table. But we have got to get away from the notion (as seen in other comments in this thread) that any sort of attempt to prevent this kind of harm before it happens is authoritarianism.
Agreed. My stance on this changed over the course of some years after a close family member married an actual engineer (structural) and I got a lot of insight into that world.
It's astonishing to me the ease of which software developers can wreak _real_ measurable damage to billions of lives and have no real liability for it.
Software developers shouldn't call themselves engineers unless they're licensed, insured and able to be held liable for their work in the same way a building engineer is.
Some engineers like to go on about this, but the reality is they offload the work to marginally qualified techs and unlicensed engineers and stamp the document, just like in software.
There are all sorts of failures in the structural space. How many pumped reinforced concrete buildings are being built in Miami right now? How many of them will be sound in 50-75 years? How likely is the architect/PE’s ghost to get sued?
PE’s are smart professionals and do a valuable service. But they aren’t magic, and they all have a boss.
well software generally harmless until you integrate in your car (see: Tesla)
I think there defo a line where bug in your puzzle app don't need a license vs AI that drive your 50k+ tesla
I'm curious how you think this would be implemented. Do you think you should need a license to publish on GitHub? Write code on your own computer and run it? Because this was just a startup that some kids founded so saying that a license would have to be a prerequisite to hiring somebody would not cut it. You'd have to cut off their ability to write/run code entirely.
I mean, kind of? You can't really start any kind of trade business without credentials (other than low-paying under the table work for people who don't care).
You can't stop someone from doing electrical repairs on their own home but if the house burns down as a result, the homeowners' insurance will probably just deny the claim, and then they risk losing their mortgage. Basically, if you make it bureaucratically difficult to do the wrong thing, you'll encourage more of the right thing.
> This is exactly why I think software engineering should require a licensing requirement, much like civil engineering.
Civil engineering requires licensing because there are specific activities that are reserved for licensed engineers, namely things that can result in many people dying.
If a major screwup doesn't even motivate victims to sue a company then a license is not justified.
I would say the risk of identity theft for over 150 million people justifies some preventative measures. And yes, there also were hundreds of lawsuits.
https://en.wikipedia.org/wiki/2017_Equifax_data_breach
Or how about four suicides and 900+ wrongful convictions?
https://en.wikipedia.org/wiki/British_Post_Office_scandal
Not to mention the various dating app leaks that led to extortion, suicides and leaking of medical information like HIV status. And not to forget the famous Therac-25 that killed people as direct result of a race condition.
Where's the threshold for you?
I mean this is Tech industry, everyone here gather data big tech or not,
I'm not saying I'm pro identity theft or data breach or something, but the industry culture is vastly different
people here are pro on move fast break things some of idea, I think you just cant tbh
Everyone in business is move fast and break things and let people die if it's cheaper until regulations force them not to be. Software is just new enough that mostly doesn't exist yet.
Systematically violating people's privacy while not caring about protecting their data is not culture, it's called a problem.
Perhaps they could move even faster and scale better by collecting and storing less data. Moving forward fast instead of moving frantically while looking for things to break seems more reasonable to me. But then again I'm not the kind of person to become a billionaire tech CEO who's unironically bragging about being called the Eye of Sauron, so what do I know.
Conversely, it's the scale, not magnitude. A single physical infrastructure failure can usually only harm a very limited number of people. A digital infrastructure breach can trivially harm millions.
Observing that each individual harm may not be worth the effort of suing over is evidence that the justice system is not effective at addressing harm in the aggregate, not evidence of lack of major harm.
You haven't thought thought this through. What happens with open source? I need a license to make a PR on github. It will also push all software engineering to places where there isn't a license requirement or onto the darknet.
Yes, I have. You aren’t allowed to build a faulty bridge, even free of charge.
Maybe you are allowed to build that faulty bridge in, I dunno, Laos or whatever, and if people go to Laos specifically to drive on your bridge, then that’s on them if it collapses. But countries can and do successfully regulate how software is handled in their jurisdiction, see GDPR for example. It’s not an unsolvable problem, and even if there are cracks (like there are with GDPR), the solution isn’t to throw our hands up and say “welp, nothing to be done, just have to accept that sometimes people’s intimate personal details gets leaked.”
If you think my suggestion is bad (which it very well may be), happy to hear your take on how to prevent things like this and and other negligent software.
Yes, I will happily fight against authoritarian takes cloaked in vagueries.
I don’t believe engineering licensing is authoritarian, and I’d be interested in hearing why you believe that to be the case (especially, considering, most “real” engineering field have had licensing requirements for a century, without any real complaints against that process).
They believe any regulation is authoritative overreach so I doubt you're gonna get anywhere.
Check their comments there's screeds about compelling labor over like basic concepts.
There are pretty major exceptions to what require engineering licenses, and it is pretty unclear where software should fall in.
You can sign a liability waiver and do all sorts of dangerous things.
>most “real” engineering field have had licensing requirements for a century, without any real complaints against that process).
Most newer engineering fields are trending away from licensing, not towards it. For example, medical device and drug engineering doesn't use it at all.
> medical device and drug engineering
is a special case exception, where rather than requiring licensing for the engineers building the product, we put detailled restrictions and regulations on what needs to be done (extensive testing, detailled evidence, monitoring programs, etc) before the product can be sold or marketed.
That is hardly an example of a field where risk-taking is encouraged and unlicensed persons are able to unleash their half-developed ideas on the public.
Do you have any other examples of fields which are "trending away" from licensing?
Aerospace and Automotive engineering would be more examples, and then the obvious case of software and hardware engineering.
As you point out, the trend is for self certification and government review, like is done for medicine, aircraft.
I don't think these are special cases, but the norm for any field developed after the 60's or so.
>risk-taking is encouraged and unlicensed persons are able to unleash their half-developed
That's your hostile strawman, not mine.
You don't see how gate-keeping who can create software is authoritarian?
The distinction between creating virtual software and physical structures is fairly obvious.
Of course physical engineers that create buildings and roads need to be regulated for safety.
And there are restrictions already for certain software industries, such as healthcare.
Many other forms of software do not have the same hazards so no license should be needed, as it would be prone for abuse.
I agree creating software in general shouldn't be gatekept, but requiring that app developers who process PII have more to show than vibe-coding experience would probably be beneficial.
I don't think anyone is proposing that Flappy Bird or Python scripts on Github should be outlawed. Just like you can still build a robot at home but not a bridge in the town center.
OP didn't qualify the statement "This is exactly why I think software engineering should require a licensing requirement".
No mention of PII or any specifics.
SWE already has regulations. I see no need for a license requirement...
Concerning PII, it's kind of hypocritical for the gov to regulate when the NSA was proven to be collecting data on everyone against their will or knowledge.
I’m happy to discuss specifics, so long as they don’t start with the premise “regulation is authoritarianism” and also are in good faith. Kids don’t have to have an engineering license to build a bridge out of popsicle sticks, I doubt you think that someone saying “building a bridge should require a civil engineering license” should apply to that. I’m not unreasonable. I just think there has been entirely too much demonstrated harm to start with the premise of “anyone can build any software they want at any time, with zero liability”.
These students may be liable for things after the fact, but that is hardly any consolation to the people that may have had their intimate personal data leaked. Even if they are successfully sued by everybody on the site, how much money could they possibly squeeze out of a bunch of college students? I don’t know how you can prevent this without some up front thing, such as a license, rather than making them liable after the fact.