Anti-vax dating site Unjected had its user data breached
It turns out that the Venn diagram of people who pridefully reject the COVID-19 vaccination and people who do not take measures to protect their data security is pretty much a circle.
Unjected, an actual, real-life dating site, was created specifically for people who are not vaccinated against COVID-19 and claims to be the “largest unvaccinated platform” online. Beyond exclusively helping anti-vaxxers find love (please, Netflix, do not make this a reality TV show), Unjected also provides a place for users to offer their blood, semen, eggs, or breastmilk for donation. And it’s having a bit of a cybersecurity issue, the Daily Dot reported.
Programmer and security researcher GeopJr, who describes themself as “a CS Student 🧑🎓 from Greece 🇬🇷,” discovered that anyone could access the site’s administrator dashboard, which allows users to add, edit, or deactivate pages. Through this dashboard, they can also access user information for any member, including their name, date of birth, email address, and sometimes even their home address.
“Almost none of the actions an admin or a user can take require any kind of authentication whatsoever,” GeopJr told the Daily Dot. “Anyone can directly manipulate parts of its database and its content.”
GeopJr figured out the error when the site was published live online with debug mode switched on. Debug mode allows users to change the site’s code for the purpose of debugging, which is a wild thing to turn on for an application that’s already live online with around 3,500 active users. It’s through this debug mode that GeopJr made changes to the site.
The entire site first went offline on Friday, July 22 after the Daily Dot reached out to Unjected, and went on and offline all weekend. On Monday, July 25, the site was brought back online — maybe for good. According to the Daily Dot, the exposure of user data is fixed.
Unjected has already gone through the ringer. Back in August 2021, the Apple App Store kicked it out for violating Apple’s COVID-19 policies, so it’s now predominantly making the rounds with Android users and folks on desktop.
With the app still up and running, it’s clear it’s trying to spread quickly — but I can think of at least one thing that famously spreads faster than Unjected.