This ace app dating site social network review started in January, with one issue we asked them to fix. The issue was that all the users location, real name, and real pictures were being leaked. We originally thought this app only had 10 percent of all known asexuals, but thanks to aceapp social networks leak we discovered they had over 46 thousand asexuals of the 100 thousand that are publicly known by AVEN.

Aceapp acknowledged it as a feature publicly 6 months after contacting them when their competitor wrote about it, so we released the below video of said feature.

We are now concerned that the owner claims an app with what appears to be an apparent sql injection is secure, yet also has many other issues that are just as bad when it comes to users safety, despite the last two updates saying they had privacy updates since the only privacy improvement was removing the feature of finding out users info. Originally the issue was only a 24 hour log of who was online last, where they lived and their real name and username along with their profile image. They then attempted to fix it, but instead made it worse by being able to expose everyone’s location, name and profile picture. We contacted them privately about making the issue they were claiming to be a feature worse, so they removed it.

Unfortunately for the LGBT+ community, you don’t need a feature or hack to see their private info, since aceapp still uses something insecure called http, which means your governments, your family, that weirdo in the coffee shop, they can see your messages and private information you’re sending on aceapp when using wifi. Using 4g or 3g will not fix the issue of your government being able to see it, and those who understand how to see 4g and 3g traffic. The way to fix this security issue will be changing to https.

aceapp announced they’re 100 percent secure in our comments and there wasn’t an issue, right after emailing us saying there was an issue. In the effort for transparency as a reporter we immediately published the email in full, typos from a mobile phone and all. The fact they say they’re is while knowing there appears to be a a sql injection that means it is a feature, not to mention the myriad of other security holes. We are leaving the majority of our updates intact to show you the painstaking hard work we have gone through and that we acknowledge it isn’t close to over.

Aceapp has around 50 thousand users according to their now closed feature. That is 50 percent of the known asexual community. A failure in their security affects us all and thus we must treat it and their handling of security as an attack on the safety of those who are asexual, as governments may look unfavorably at this, nonetheless we can not change who we are or how we identify as.

While our work to get them to stop telling the world when any user logged on is fixed and it took six months our work is far from over and this will continue to update to the public.

We also got them to make it so all the profile images can no longer be seen from the browser and downloaded via a browser scraper. Other avenues of attack may still exist. That’s the positive news, sadly.

One of the avenues of attack as we discussed above is http, which aceapp has replied demanding that was fixed in the June 4th update except for their terms and privacy page, sadly that isn’t accurate.

Googles chrome browser warns you when a site is not secure, even if they put https, and this is what you get when you go to

aceapp is not secure according to Chrome browser due to a 548 day old expired certificate.

What is positive, is that they also claim they moved the images to a more secure system, we have not independently verified this and will be looking closely in to their claim.

If you accept those currently known issues as acceptable risks, we aren’t going to say not to use the social network, as we have warned you.

Now we are going to show you how aceapp looked recently, which they called a feature.

As we addressed above this was considered a feature publicly by them, which they publicly called a feature May 26th after wrote about our research, so we released the above video titled feature or vulnerability? Along with their response

We were absolutely thrilled over a small victory on June 6th when the 24 hour log went to only a few people at a time, which looked like this.

The more secure feature of exposing everyone’s information.

Unfortunately, we discovered that this improvement had a new issue, we could now type in numbers to where it said id and cycle through 1 to over 100 thousand or until the database gave us everything in to the log. When we put in a random id which is simply a series of numbers, like 19968, it would then show that user, just logged in. If we did that to every user the log would display every user as logged in and disclose all their information.

Since it is pride month, we weote to them to report the issue, only to have them admit their was a problem, but then come and comment on here a few minutes later that there was never a problem.

Since we had been reporting on this we published the email correspondence for complete transparency. The below email exchange has only been fixed for typos.

Subject:Re: New exploit in aceapp unpublished

FromACEapp Help
DateToday 02:27
Contact photo

Message Body

Hi Ryan, We truly appreciate your concern about the data breach on ACEapp. We want to inform you that all the data on ACEapp is completely safe and only authorized users can request and view the data. The only issue was with the getActiveNow where anyone can see data of all the online users at a particular time. We have fixed the issue already. Now no one can request any data outside the application without proper authorization. 
Thanks. Let us know if you still find any such issue. 
On Wed, Jun 10, 2020 at 11:07 AM <> wrote:

  We tried contacting you before we went public with the 24 hour log of
users. Let’s put aside, what appears to be a sql injection and a  way to
download all the users profile pictures among a few other public bugs.
In honor of pride month we are informing you of a worse issue you just
implemented, i hope was by accident. The getActiveNow.php  file can now
expose not just a 24 hour l og we can download the entire database of every
users real name , username, location, state, country, province, city and
personal profile image.

It is a simple bug  to solve, you just provide a number 1,2,3, all the
way up to a million or until the database runs out of info. If we can
help with an issue that is getting worse, not better, then we need to team up.


Was I in the AceApp breach?

update 3/8/2020

.It is quite possible. Since at one point every user could be exposed, it’s possible they downloaded to every single image of every single user, username, name, and location that you provided.

What is asexual?

Asexual is part of LGBTQIA, and while this article previously said the A in LGBTQIA has dual meanings and while that is technically accurate, @asexuality the Twitter for, the leading information hub on asexuality says it erases asexuals. In light of this and someone who provided valuable feedback who goes by @dirtyunclekevin, we’ve amended this to reflect the community.

Asexual is a spectrum of people who have no interest in sex or romance to those who date through identity based relationships. Some have sex usually to please their partners, but if you want an extremely detailed guide go to

What have you done to protect users identities?

We did not publicly link to the API. We provided this information only to journalists who simply needed to verify the breach of users privacy, until aceapp deemed it a feature

267 Responses

  1. Hi, everyone,

    We truly appreciate your concern about the data breach on ACEapp.

    We want to inform you that all the data on ACEapp is completely safe and only authorized users can request and view the data. We recently launched our new update on 4th June in which we have used a new database and a secure environment. All the confidential data like password, email, authentication tokens are secured using SHA-2 cryptographic hash functions.
    No one can read any data outside the application without any proper authentication. All the previous REST APIs are no longer functional.


    Let us know if you still find any such issue.

    1. This isn’t accurate. You’re still using http, which means anyone on the same network as you or your government can see your messages, etc. If it is illegal in a country to be asexual, then you’re risking the lives of your users. I know many countries are anti-LGBTQIA

      1. Hi wefightforsecurity team,
        On ACEapp we are using HTTPS not HTTP. We were using HTTP before our 4th JUNE update. In the recent changes, we have moved our application to HTTPS. All our REST API services are deployed on highly secure cloud engines.
        In our current version of ACEapp, we are only keeping our Terms and Condition, Privacy Policy to HTTP which are plain HTML pages and does not contains any information specific to users. These are the URLs:
        Apart from it all the APIs and images are moved to HTTPS. Images of users are moved to highly secure Cloud Bucket.

        Let us know if you still find any such issue.
        We are open for conversation.

  2. Pingback: ctaoeyup
  3. Pingback: buy cialis
  4. Pingback: generic for viagra
  5. Pingback: compra de viagra
  6. Pingback: furosemide
  7. Pingback: albuterol 2.5 mg
  8. Pingback: prednisolone buy
  9. Pingback: get clomid
  10. Pingback: paxil wiki
  11. Pingback: celecoxib 100mg
  12. Pingback: pfizer cialis otc
  13. Pingback: cialis 20mg amazon
  14. Pingback: sildenafil soft
  15. Pingback: viagra gel price
  16. Pingback: cialis gel tabs
  17. Pingback: best online cialis
  18. Pingback: memphis099 viagra
  19. Pingback: buy cialis toronto
  20. Pingback: new ed pills
  21. Pingback: Zakhar Berkut hd
  22. Pingback: cheap retin a
  23. Pingback: lisinopril 420
  24. Pingback: buy cialis drug
  25. Pingback: Flexeril
  26. Pingback: male enhancement
  27. Pingback: generic cialis buy
  28. Pingback: new ed drugs
  29. Pingback: is cialis
  30. Pingback: viagra europe
  31. Pingback: virectin vs viagra
  32. Pingback: sildenafil 20
  33. Pingback: viagra discount
  34. Pingback: cialis free sample
  35. Pingback: amlodipine dosage
  36. Pingback: best pills for ed
  37. Pingback: plaquenil 400
  38. Pingback: ivermectin iv
  39. Pingback: can ed be reversed
  40. Pingback: viagra amazon
  41. Pingback: amoxicillin liquid
  42. Pingback: buy cialis now
  43. Pingback: redtube cialis
  44. Pingback: cialis dosing
  45. Pingback: viagra how long
  46. Pingback: united rx pharmacy
  47. Pingback: women viagra
  48. Pingback:
  49. Pingback: online medication
  50. Pingback: best ed medication
  51. Pingback: prozac abuse
  52. Pingback: buy ivermectin uk
  53. Pingback: lexapro nausea
  54. Pingback: cialis for sale uk
  55. Pingback: 1
  56. Pingback: buy cialis in usa
  57. Pingback: ivermectin cost uk
  58. Pingback: doxycycline 50mg
  59. Pingback: doxycycline prices
  60. Pingback: cialis asia
  61. Pingback: viagra uk pharmacy
  62. Pingback: zithromax susp
  63. Pingback: shots for ed
  64. Pingback: cialis generic
  65. Pingback: viagra generic
  66. Pingback: prednisone pak
  67. Pingback: ivermectin 1
  68. Pingback: purchase amoxil uk
  69. Pingback: furosemide 20
  70. Pingback: neurontin sale
  71. Pingback: viagra price
  72. Pingback: prednisone 5052
  73. Pingback: buy priligy in usa
  74. Pingback: ivermectin 200 mcg
  75. Pingback: azithromycin pills
  76. Pingback: buy lasix 100mg
  77. Pingback: quineprox 900
  78. Pingback: cialis
  79. Pingback: stromectol cvs
  80. Pingback: ivermectin 50 mg
  81. Pingback: ventolin price usa
  82. Pingback: cialis generic
  83. Pingback: what is viagra

Leave a Reply

Your email address will not be published. Required fields are marked *