Check the app’s code, and you’ll find hardcoded credentials. Probe the endpoints, and you'll find that no authorization is required. The result? Over 124,000 messages from “Gay Daddy: 40+ Date & Chat” users laid bare.
On January 7th, 2025, the Cybernews research team discovered a major security oversight compromising the “Gay Daddy: 40+ Date & Chat” app on the Apple’s App Store. It is one of thousands of iOS apps leaking their secrets, as unveiled by the Cybernews analysis into 156,000 apps.
The Gay Daddy app description advertises a “private and anonymous community” for gays and bisexuals to meet each other, which “never share your information with third parties.”
However, at the time of discovery, the app’s Firebase instance was leaking over 50,000 user profiles and 124,000 private messages sent between users. Firebase is a Google tool for developers to streamline app development, including data storage, user authentication (like logins), or real-time features such as chat updates.
The consequences can be devastating for the app users.
“Users expect the app to be discreet, but it is completely the opposite. Due to a security misconfiguration, Gay Daddy leaked all of its user's data, including private messages, photos, locations, and profiles, including names, age, relationship status, and even HIV status,” said Aras Nazarovas, a security researcher at Cybernews.
The database was accessible to anyone with sufficient technical knowledge. The Cybernews research team investigated the publicly available app package using reverse engineering techniques, which unveiled the stored secrets in plain text. The secrets led to exposed third-party service endpoints.
Cybernews responsibly disclosed the breach to the app developer, and the leaking instance was closed. We also contacted the app builder, Surendra Kumar, for comment but did not receive a response at the time of writing.
Attackers could exploit multiple weaknesses
The Firebase endpoint was just one of Gay Daddy’s leaked secrets. Other secret keys were present, including the cloud storage bucket for storing files, an API Key used for authentication to various Google services – which could lead to quota exhaustion attacks – and others.
Firebase is usually used as a temporary database with limited space. When it fills up to a certain degree, the data is synchronized with a permanent database, and the oldest entries in Firebase will be deleted.
A persistent attacker could lurk for a long time, using a scraper to collect a much larger database about the app’s users.
“This data leak compromises app users’ security, allowing threat actors to read private messages and obtain contact lists and location data. Not only does this expose individuals to cyber threats, but also to risks of financial, psychological, and even physical harm, particularly given the prevailing stigmas surrounding homosexuality in certain countries,” Nazarovas warns.
“Gay Daddy: 40+ Date & Chat” has 315 ratings on the Apple’s App Store in the US, resulting in a 3.7-star rating. Third parties estimate that it was downloaded over 20,000 times. Based on publicly available information, it appears that the app is maintained by one person.
Cybernews has previously reported on other LGBTQ+ and BDSM dating apps leaking private photos and sensitive secrets, putting users at risk. BDSM People, CHICA, TRANSLOVE, PINK, and BRISH apps had hardcoded secret credentials, and their corresponding endpoints were exposed.
Our researchers urge app developers to ensure that their apps do not have hardcoded sensitive credentials and that corresponding endpoints are well protected. Previous iOS app research demonstrates that over 4% of exposed Firebase endpoints do not require authentication to access.
“Make use of appropriate Firebase security rules to ensure only authorized and authenticated users and services can access the data stored within,” Nazarovas said.
It’s recommended that secrets be stored privately on the backend server or using client-safe SDKs, proxying traffic through a private infrastructure to third-party services used by the app.
Your email address will not be published. Required fields are markedmarked