A security researcher has discovered that Unjected, a website promoting meetings between unvaccinated people and popularly dubbed “Tinder for anti-vaxxers,“ exposed the data of all users subscribed.
Unjected has been around for some time, but only gathered a following of a few thousand people. The project also has a couple of apps for Android and iOS, but Apple kicked the app off its store for breaking COVID-19 regulations.
According to a Daily Dot report, security researcher GeopJr discovered that the website’s security policies are lacking, to say the least. He could easily access the administrator dashboard, taking power over the whole website. That meant accessing subscribed users’ data and all of the functions, including deleting the underlying database.
During their investigation, Daily Dot contacted site co-founder Shelby Thomson about the problem. He admitted that a few of the roughly 3,500 users complained about the issue and promised to notify the technical team.
Soon after, the team made some modifications to the website, but the problems only worsened. Some users reported seeing pages of code instead of the website, which also displayed personal information such as email addresses and IPs.
Thomson didn’t answer questions a second time, but Unjected went down for a few days and returned with some of the problems fixed, including the issue of access to the admin account. Security researchers say that other critical bugs remain.