An anti-vax dating site has been revealed as shockingly easy to compromise by security researchers. Many major aspects of the site, from membership subscriptions to support tickets, were found to be vulnerable.
The site, called Unjected, has been around since last year. It functions as a sort of social media/dating platform for folks averse to vaccinations. The site also offers a “blood and fertility match” directory, with some pretty personal details being entered as a result.
What’s interesting about this one is the potential for wider fallout. This is one attack which may not only impact authentic users. It seems many people also signed up to joke around, or mock the site and its users. They may well be caught up in any potential data leakage down the line.
A researcher discovered that the site’s web application framework was set to debug mode. Debug mode is something you wouldn’t typically grant third party users access to. Depending on setup and program, it may reveal all sorts of information to the user. It could grant the user admin powers to remove bugs from the program, with all the site-wide power such a mode implies.
Think video games, where a debug mode is roughly equivalent to a cheat mode granting infinite lives or instant level completion. In short: this isn’t something you want people to stumble across.
Sadly for the site and its users, the site’s administration dashboard was openly accessible. Anyone with access could add, edit, or deactivate pages and user accounts. The researcher who discovered this was able to demonstrate their new-found admin powers on a test account set up by Daily Dot, enabling them to edit the private email address, username, and profile image, as well as the wording on a public post.
Site back ups? Downloadable. $15 a month subscriptions? Able to give them away like candy if so desired. Incredibly, help center tickets could be replied to. Given help tickets tend to contain more sensitive user data than what people post publicly, this is rather worrying.
When the fix fails
Once alerted, the people running the site applied fixes which may have made things worse. One user claims that their home address was “published” after registering a new account. Another said they were redirected to a page of code revealing “email address, IP address, browser information, and more”.
As mentioned earlier, sites such as this tend to attract lots of trolling, joke posts, and general mockery. While those people likely used disposable emails to sign up and post, they may well have exposed other data to a site which seems incredibly leaky and bug-riddled at time of writing. Whether legitimate user or not, everyone on the site could have had their data swiped without anybody knowing about it. They’re fortunate the researcher in question found the flaws when they did, or else the site would still be a huge, secret bullseye for people with bad intentions to plunder.
We’d strongly suggest not registering on the site at present. That goes for whether you’re looking to land a date or do some trolling instead. Given the baffling sequence of errors since the admins tried to fix things, it’s simply not worth the effort or the risk.