Users of ‘throuples’ dating app Feeld may have had intimate photos accessed

Users of Feeld, a dating app aimed at alternative relationships, could have had sensitive data including messages, private photos and details of their sexuality accessed or even edited, it has emerged, after cybersecurity experts exposed a string of security “vulnerabilities”.

Feeld, registered in the UK, reported soaring revenues and profits this month , thanks to millions of downloads from non-monogamous, queer and kinky users across the world.

But while the app has gone from strength to strength financially – and attracted plaudits for its approach to sexuality – a British cybersecurity company claims to have uncovered serious failings in Feeld’s systems earlier this year.

Related: Why is dating app Feeld so popular? Fetishes and throuples are only part of the story | Zoe Williams

Feeld said it had dealt with the concerns “as a matter of urgency”, resolved them within two months and that it had not seen any evidence that user data had been breached.

It did not know how long the vulnerabilities had existed before it was told about them in March by the London-based cybersecurity firm Fortbridge .

Fortbridge discovered the issues after “pentesting”, an industry term for security assessments of websites and apps to identify weaknesses that attackers could exploit.

Its researchers found that it was possible to read other people’s messages exchanged in chats on Feeld and even see attachments, which can include sexually explicit pictures and videos.

This could be done without using a Feeld account, as long as a potential hacker had the user’s “stream user ID”, potentially visible to anyone who could see their profile.

Messages could be edited and deleted, the researchers found, and chats deleted by the users could be recovered. Time-limited photos and videos, commonly used to share explicit images that self-delete after one viewing, could be retrieved and seen indefinitely, by accessing a link available to the sender.

Fortbridge said the failings could also allow a hacker to change someone else’s profile information, including their name, age and sexuality. It was also possible to view other people’s matches and to manually force one profile to “like” another.

The cybersecurity company told the Guardian that the failings could have been exploited by someone with “basic technical knowledge”.

Adrian Tiron, a managing partner at Fortbridge, said: “Although these aren’t the most sophisticated bugs we’ve found or exploited, they are certainly some of the most impactful due to Feeld’s large user base, putting a significant number of users at risk.

“In the industry, it’s common practice for companies to share their best research with the community. We’ve learned a great deal from others by reading their reports, and now it’s our turn to give back.

“We’ve noticed that many companies claim to prioritise security, but often these are just words – more action is needed.”

Feeld said it had not shared information about the security flaws publicly, including with users, because it did not want to “invite bad actors” to manipulate private information.

It said members would be told directly about how it had fixed the issues and that it was looking at sharing more “proactive updates” in future via its website, email and the app.

Alex Lawrence-Archer, a solicitor at the data rights specialist law firm AWO, said Feeld could now face repercussions from the data regulator, the information commissioner’s office, or from any user whose information was found to have been accessed.

“If this is right, that personal data, including messages and private photos, was exposed in this way – or even capable of being accessed – there’s a strong argument that it’s in beach of the core GDPR principle that data must be processed in a secure fashion,” he said.

“It’s the kind of thing I’d expect the ICO to investigate, if accurate, to get to the bottom of what’s gone on and whether any remedial or enforcement action is warranted.

“We don’t know if anyone’s photos or messages have been accessed. If it turned out that they had, such an individual would have cause of action against Feeld, for instance if they had suffered distress.”

Lawrence-Archer said the security vulnerabilities also raised potential concerns about identification of LGBTQ+ people in countries where homosexuality is illegal.

The ICO said it had not received reports of a data breach at Feeld. Feeld said it had not informed the regulator because it had seen no evidence that anyone had accessed private data and a third-party organisation had approved its decision not to self-report.

The company said it had investigated the problems brought to its attention by Fortbridge on 3 March and fixed them by 28 May but had failed to communicate adequately to Fortbridge that the issues had been resolved and were being reviewed by a third party.

It said no issues were outstanding, except for one that allowed non-members to access premium features, adding that it welcomed further pentesting.

“Our members’ safety and security is our top priority, and we welcome ongoing collaboration with the ethical hacking community to identify vulnerabilities as this only strengthens our platform for the future,” said a spokesperson.

It added that it had previously been unable to run the kind of tests on its systems that Fortbridge had done but was now able to do so.