Unsecured API of ‘63Red Safe’ app exposes user data

• 63Red Safe mobile app described as ‘Yelp for conservatives’ exposes user data due to unsecured API.
• The developer of the app hardcoded his credentials and left all the credentials and the list of API endpoints in the app’s source code.

What is the issue - 63Red Safe mobile app described as ‘Yelp for conservatives’ exposes user data due to unsecured API.

Security researcher Robert Baptiste uncovered that the API of the 63Red Safe mobile app was open without any authentication, allowing anyone to view and access the data stored in the app’s database.

What is 63Red Safe?

63Red Safe is an iOS and Android mobile application that is designed for ‘keeping conservatives safe’. The apps help conservatives ‘Find great restaurants nearby, and see how expensive, how far away, and best of all, whether they are safe for conservatives’.

To be precise, 63Red Safe app helps conservatives to know beforehand if a restaurant will allow them to wear MAGA (Make America Great Again) gear while dining.

Why it matters - The developer of the app hardcoded his credentials and left all the credentials and the list of API endpoints in the app’s source code. This allows anyone to view or access user data as well as block/unblock users.

• Baptiste was able to find out that 4466 individuals registered and created profiles in the 63Red Safe app.
• The security researcher was also able to retrieve user data such as username, email address, profile id, avatar, follower count, following count, profile creation date, profile update dates, ban status, and hotscore.

“Please note that the individual who noticed an issue never gained access to any user’s passwords, nor were they able to change or alter any data on our servers, nor were they able to log into our servers or access our databases directly. The small amount information in which they were able to access has now been additionally protected,” 63Red team said in a blog.