The Record reports:
A Brazilian dating app marketed as a safe space for lesbian women shut down this week after several users uncovered a flaw that reportedly could expose sensitive data, including identity verification photos.
Sapphos, which launched in early September, required users to verify their identity by submitting a selfie holding a government-issued ID. But on Monday, independent researchers revealed that the app’s application programming interface (API) reportedly contained a flaw that allowed outsiders to retrieve photos and personal details from other users’ accounts without authorization.
The users who discovered the vulnerability shared their findings on X, with one claiming they could “grab all the photos” from the app’s database, including names, birthdates and ID verification selfies. One of the researchers said his intention was not to harm users but to warn the company about the flaw, classified as an insecure direct object reference (IDOR) vulnerability.
Read more at The Record.
