Update May 25th, 2020 3:53 PM Pacific Time
The asexual app aceapp has not fixed the security flaw that outs users. This comes to great sadness to us that the owner has not fixed the flaw. We will continue to keep you updated with proper information.
Update may 26th midnight and 27 minutes pacifc time.
After asexual.net wrote an article off of ours aceapp responded. It does not seem to be a coincidence they replied the day another asexual dating app wrote an article. Their response claims that this is a feature and that your data is secure. We do not believe this is a secure way to store anyone’s data, but we will let you decide as we have published what we called a vulnerability, but they are trying to spin as a feature. Watch the video and make your own decision.
The asexual dating app ace app is made by someone who appears to be in India named Purush. The app and any other apps by Purush are hosted on purush.xyz. Asexuals are in the acronym LGBTQIA. When you do a search for this specialty app purush.xyz, you get a site trying to that took a screenshot of aceapps faulty api exposing info on active users. Unfortunately, this issue still exists and sadly, the owner purush did not respond to us or other media outlets who reached out to him, nor did he fix the issue.
AceApp has over 10 thousand users, which is around ten percent of the known asexual community. When we discovered their web API, we looked at how their app works. Some of the information shown on the web API is also shown on the android apps most active list, which shows who logged on last, where from, their name, country, state, image of the person and more identifying information. However, the most active list, which uses some of the info also shown on the web API is supposed to be for logged in users. It gets worse, your information isn’t encrypted using https for being transmitted over the wire, so anyone on the same network as you, your internet service provider, etc. could intercept what you were doing.
Additionally it is easy to scrape all the active users of AceApp, where asexuals live in the world, there pictures, names and usernames for anyone who opens the app due to the issue with the web API.
To the creators credit, the api doesn’t show the users info, unless you have an ID, unfortunately most people can easily guess or know an ID, due to the way databases work.
Am I in the AceApp breach?
Yes, your picture is at least. We are able to download every single image of every single user, because the name of your image is the same name as the numerical ID when you signed up, so just increment by one and you get each users picture. We don’t need a name assigned to the image to potentially use facial recognition on the image to find your social media accounts and name.
additionally, if you log in to the app or have logged in to the app in the last 24 hours, your real name, username, picture, country, and location are all able to be downloaded and make a database of each user.
What is asexual?
Asexual is part of LGBTQIA, and while this article previously said the A in LGBTQIA has dual meanings and while that is technically accurate, @asexuality the Twitter for asexuality.org, the leading information hub on asexuality says it erases asexuals. In light of this and someone who provided valuable feedback who goes by @dirtyunclekevin, we’ve amended this to reflect the community.
Asexual is a spectrum of people who have no interest in sex or romance to those who date through identity based relationships. Some have sex usually to please their partners, but if you want an extremely detailed guide go to asexual.org.
What have you done to protect users identities?
We are not publicly linking to the API, nor are we providing screenshots from the API. We provide this information only to journalists who simply need to verify the breach of users privacy.