Get AI summaries of any video or article — Sign up free
Cybersecurity Nightmare thumbnail

Cybersecurity Nightmare

The PrimeTime·
5 min read

Based on The PrimeTime's video on YouTube. If you like this content, support the original creators by watching, liking and subscribing to their content.

TL;DR

OTP login reportedly leaked the one-time code directly in the authentication response, undermining the “one-time” protection.

Briefing

A dating app’s OTP login and exposed API endpoints turned routine account access into a stalking-and-identity-theft risk, with attackers able to enumerate users, harvest sensitive profile data, and potentially take over accounts. The core failure was an OTP system that returned one-time codes directly in the authentication response, meaning possession of a phone number alone could be enough to access accounts. From there, guessable user IDs and insufficient access controls on “authenticated” endpoints allowed broad scraping of personal information—phone numbers, match preferences, sexual interests, intimate messages, and even government ID verification details.

After reporting the issues, the researcher says the app’s team acknowledged the severity in a call on February 24, 2025 and promised prompt remediation and user notifications. Follow-up attempts on March 5 and March 13 for updates and plans to inform affected users reportedly went unanswered. By April 21, 2025, the researcher claims there was no public acknowledgement or user alert, despite independent confirmation that the vulnerabilities later appeared patched.

The technical chain of problems began with OTP-based sign-in: the app sent an OTP code in a network response, so anyone intercepting or otherwise obtaining that response could authenticate without needing a secure out-of-band code verification flow. Next, the researcher used the app’s network behavior to locate backend endpoints. An exposed OpenAPI document (served via a /docs endpoint) made the API structure discoverable, and tooling such as Burp Suite was used to replay requests while preserving required headers and bearer tokens.

With endpoints mapped, the researcher reports two major classes of impact. First were business-logic flaws, including an unprotected action that could force matches between users. Second—and more damaging—was a user profile endpoint that accepted a valid user ID and returned extensive personal data. The response included identifying details (names, phone numbers, emails), demographic and education fields (university, university ID, university name), verification statuses (email verified, mobile verified, national ID verified), and relationship-relevant attributes (gender, interested genders, match preferences). The researcher also describes “national ID verified” as especially alarming, claiming the system stored passport or ID information and that it could be viewed once logged in as any user.

To estimate scale, the researcher wrote scripts to enumerate valid user IDs and count users matching certain criteria, including users claiming to be Yale students and users who had submitted ID information. Circa’s own early claim of 10,000 users in the first week is contrasted with the researcher’s ability to find 6,100 users and hundreds with ID data, suggesting the exposure could have been far broader than a small pilot.

The practical consequence is not just data leakage but real-world harm: stalking, blackmail, identity theft, and targeted harassment become easier when intimate messages and government ID details are accessible. The incident also highlights a recurring security lesson for any PII-heavy app: shipping “industry standard” protections is meaningless if authentication flows leak secrets, APIs expose sensitive data without strict authorization checks, and responsible disclosure doesn’t translate into timely remediation and user notification.

Cornell Notes

The incident centers on a dating app where OTP login and API access controls failed in combination. OTP codes were reportedly returned directly in authentication responses, enabling account access using only a phone number. With exposed API documentation and guessable user IDs, the researcher says it was possible to enumerate users and pull extensive personal data—phone numbers, emails, match preferences, intimate messages, and even government ID verification details. After reporting the vulnerabilities, the researcher claims the company acknowledged severity but did not publicly notify users or follow up, despite later patching. The takeaway is that PII-heavy apps require secure OTP handling and strict authorization on every endpoint, not just “encryption” claims in privacy policies.

How did the OTP system reportedly fail in a way that enabled account access?

OTP-based sign-in was described as “text in a code to your phone,” but the researcher used a proxy to inspect the login flow and found the OTP code directly included in the response. That means the one-time code wasn’t effectively protected as an out-of-band secret; anyone who could obtain/intercept the response could authenticate using just the phone number.

Why did exposed API documentation and endpoint discovery matter for the attack?

The researcher located a /docs endpoint that served openapi.json, making the API structure easier to map. With endpoints identified, tools like Burp Suite could replay requests while preserving required headers (including app version headers and bearer tokens). This reduced the effort needed to find which endpoints returned sensitive data and which ones were improperly protected.

What made user enumeration feasible?

The researcher reports that user IDs appeared auto-incrementing and therefore guessable. By writing a Python script to test valid IDs, it became possible to iterate through users and collect data at scale rather than relying on random guessing.

What kinds of personal data were reportedly exposed through the profile endpoint?

The profile response was described as returning a wide set of fields: names, gender and interested genders, phone number, email, education and university identifiers, verification statuses (email verified, mobile verified, national ID verified), and relationship-related preferences. The researcher also claims access to intimate messages and sexual preferences, plus government ID/passport information tied to “national ID verified.”

What was the reported impact beyond data exposure?

The researcher describes both privacy compromise and account takeover risk. With OTP weaknesses, account takeover becomes plausible; with unprotected business logic, the researcher claims it was possible to force matches between users. Combined with leaked intimate and identity data, the downstream risks include stalking, blackmail, and identity theft.

What happened after disclosure, and why does it matter?

A timeline is given: outreach on February 23, 2025; a productive video call on February 24 where the team acknowledged seriousness and promised remediation and user notification; then follow-ups on March 5 and March 13 seeking updates. The researcher says there was radio silence and no public acknowledgement or user alerts by April 21, 2025, even though independent testing later suggested the issues were patched.

Review Questions

  1. What specific OTP behavior would allow authentication without a properly protected out-of-band code, and why is that dangerous for account security?
  2. How do exposed API docs (like an openapi.json endpoint) change the attacker’s workflow compared with blind endpoint discovery?
  3. Which combination of factors—OTP leakage, guessable IDs, and weak authorization on profile/ID endpoints—most directly enables large-scale privacy harm?

Key Points

  1. 1

    OTP login reportedly leaked the one-time code directly in the authentication response, undermining the “one-time” protection.

  2. 2

    An exposed /docs endpoint serving openapi.json made it easier to map backend endpoints and target the most sensitive ones.

  3. 3

    Guessable, auto-incrementing user IDs enabled enumeration of accounts and large-scale scraping of personal data.

  4. 4

    A user profile endpoint reportedly returned extensive PII without adequate authorization checks, including phone numbers, emails, match preferences, and intimate content.

  5. 5

    The system reportedly stored and exposed government ID/passport information tied to “national ID verified,” increasing the risk of identity theft and blackmail.

  6. 6

    The researcher claims the company acknowledged severity in early discussions but did not publicly notify users or respond to follow-ups before publication, despite later patching.

Highlights

OTP codes were described as appearing directly in the login response, allowing account access without a properly secured out-of-band verification step.
Exposed API documentation (/docs with openapi.json) plus guessable user IDs enabled enumeration and harvesting of sensitive profile data.
Reportedly exposed fields included not just dating preferences and messages, but also “national ID verified” information—raising the stakes from privacy to identity theft.

Topics

  • OTP Security
  • API Enumeration
  • PII Exposure
  • Responsible Disclosure
  • Dating App Privacy

Mentioned

  • Circa
  • OTP
  • PII

Get summaries like this for any content

Videos, articles, research papers — all summarized by AI and searchable in one place.

Start building your library