Muslim Tinder exposes secrets, risks user privacy

Salams, a Muslim-oriented dating app, skimped on protection for its users, with the Cybernews research team discovering that the platform was wide open for user-impacting attacks for 18 months.

Few data-gobbling apps hold more sensitive information than dating apps. For example, attackers leaking data from the affair-oriented dating platform Ashley Madison led to at least one suicide and a plethora of divorces.

Our researchers discovered an exposed publicly hosted environment (.env) file belonging to Salams, which contained credentials for multiple sensitive instances like the platforms’ Amazon Web Services (AWS) S3, ElasticSearch, and an Oauth – a service used to provide authentication through third-party systems – secret.

“Dating apps' leaks are extremely sensitive. Just imagine what an impact a data leak could have on someone if friends or family discovered their family member or significant other was using a dating app,” researchers said.

.env files are crucial configuration files for any website and should be kept private. They hold passwords, API keys, and other secrets that websites need to access databases, mail servers, payment processors, content management systems, and other essential services.

While exposing .env is bad as it is, Salams, which was formerly known as Minder, left the file accessible to the public for over two years, which means attackers had ample time to abuse the security hole.

The team informed the apps’ developers about the exposed file On December 8th, 2023. However, the publicly accessible file was taken offline only on May 20th, 2024.

Salams claims to have over six million users and has helped start 360,000 friendships and 300,000 marriages. The app has over a million downloads on the Google Play Store.

We reached out to Salams for official comment but did not receive a reply before publishing.

What Salams data was exposed?

The exposed files contained AWS‘ ID and secret key. The latter is used to authenticate requests, and malicious actors could use this information to access Salams‘ databases and storage.

According to the team, the .env file also held credentials to the apps‘ ElasticSearch instance. Exposing ElasticSearch can pose serious risks to both the company and its users.

“It could lead to unauthorized access to sensitive user data stored in the Elasticsearch database. User profiles, personal information, and other sensitive data could be compromised, resulting in a data breach,” researchers said.

We have published numerous cases where companies have exposed ElasticSearch instances, risking the safety of their users.

The file, which had been exposed since December 2022, contained access keys to Firebase, a platform that provides a set of tools and services for companies to build and manage their applications. Malicious actors could exploit the access to penetrate services, including storage, cloud services, and databases.

Twilio account credentials were also exposed. Twilio is a cloud communications platform that provides APIs for sending and receiving text messages, making phone calls, and other communication services. Malicious actors may use the compromised account to send messages, make calls, or access other Twilio services on behalf of Salams.

Researchers identified an exposed Agora App ID and Certificate. Companies use Agora services to integrate real-time communication features into their applications. The App ID and App Certificate are crucial for authenticating and authorizing access to Agora's services.

“Attackers with access to Agora credentials could potentially disrupt the company's real-time communication services, leading to service outages and impacting user experience as they might allow malicious actors to retrieve the video calls and texts,” researchers explained.

Salams’ secrets, Salams’ keys

Among a plethora of credentials, the Muslim-oriented dating platform’s configuration file contained a number of secrets and keys. For example, the team discovered keys that open Authy, a service that businesses employ to implement two-factor authentication (2FA) and enhance the security of user accounts.

The exposed API and API key allow attackers to generate and validate 2FA codes for the company's users. Attackers might also use compromised accounts for malicious purposes or attempt to impersonate users.

The team noted that the exposed cluster held the Content Delivery Network (CDN) URL and encryption key. Revealing these keys poses severe risks, as attackers could allow unauthorized individuals to access and download the content directly, leading to more data leaks.

“Attackers might use the encryption keys and exposed URLs to carry out man-in-the-middle attacks. This could involve intercepting and manipulating the communication between the client and the CDN, leading to potential security vulnerabilities,” researchers said.

Meta‘s Instagram-related open authorization (OAuth) protocol tokens were also found in the .env file, likely utilized for the “login with Instagram” functionality. Attackers could employ the leaked tokens to identify which Instagram account is linked to which Salams account.

The file also contained authorization tokens for Retool, a platform that allows companies to build internal tools and applications, as well as API and token for Sendbird, a cloud-based platform that provides chat, voice, and video messaging service, and Sendgrid, a cloud-based email delivery service.

“Malicious actors could be able to send unauthorized emails using Minder's SendGrid account if the key is exposed, effectively overtaking the official communication channel of Salams’ app. This could include distributing malicious content such as malware, phishing emails, or spam,” the team said.

Salams users at risk

Salam's users bear the brunt of the risks associated with data leaks of such scale. The team believes that the exposed cluster contained enough data for attackers to access personal user data.

“Personal information, including usernames, email addresses, phone numbers, location data, profile details, and potentially sensitive information shared within the app, might be accessed by malicious actors due to a wide array of exposed credentials residing in the found environment configuration file,” researchers said.

Additionally, attackers could use the compromised app to launch mass phishing attacks. For example, malicious actors could impersonate website owners to send deceptive messages or notifications to users, attempting to trick them into providing more sensitive information, such as passwords in plaintext, by clicking on malicious links.

According to the Mozilla Foundation, Salams’ privacy track record is far from spotless. In December 2017, security researchers identified a large-scale vulnerability.

Data made potentially accessible to all Minder users included full names, dates of birth, GPS coordinates, phone numbers, email addresses, Instagram account IDs and access tokens as well as Instagram and Facebook account IDs and access tokens.