Plenty of Fish is a Canadian online dating service. Their service is distributed via their Android and iOS apps as well as their web application. Their entire user-base is reported to be ~100 million users with ~400k online at any given time.
After providing a trove of personal information during the registration process Plenty of Fish allows you to begin matching with other users in your area. Meet up based attacks leveraging dating apps have been in the news recently with criminals using Gridr, the online dating application geared towards gay, bi, and trans people, to lure and assault users.
Initial analysis of the Plenty of Fish API showed responses contained generic logging and app data. Unfortunately the responses also contained user data which was potentially sensitive. This sensitive data included a users first name, even when they requested for it not to be shown, and the ZIP code of the users home.
With the API revealing both a users first name and the general location of their home it's not outside the realm of possibility that a malicious actor could leverage this data to locate the users of Plenty of Fish. With the recent Grindr attacks dating platforms should be very careful with how they share their users location information as it could be used by criminals to harass or attack their users. Plenty of Fish was made aware of this issue and has issued a fix.
A users location is found based on their home ZIP code provided by the Plenty of Fish API
When registering Plenty of Fish states that they won't display certain information about the user such as their income level, marital status of their parents, or number of siblings. Although Plenty of Fish indeed does not display this information on a user’s profile, it is still accessible to any viewer of their profile via the API.
This data which is explicitly stated as "Not displayed in profile" is being returned via the API and not being rendered in the user profile. Plenty of Fish is being truthful in stating that the data is not "displayed" when your profile is viewed, however a technical savvy user would be able to access that data.
Income level, sibling count, and parents marital status all revealed by encoded API responses.
Plenty of Fish was quite responsive and diligent with regards to rolling out a fix for revealing a users home ZIP code, however I have heard no response regarding fixing the revealed "Not displayed in profile" information.
In this instance I think its good to ask ourselves whether users understand that "not displaying information" does not equate to "not revealing information"? If the general user does equate these statements does it become the duty of the service to adhere to this belief?