Owner Of MAGA-Friendly Yelp Knockoff Threatens To Call FBI After Researcher Exposes Security Holes

Owner Of MAGA-Friendly Yelp Knockoff Threatens To Call FBI After Researcher Exposes Security Holes

The rollout of a Yelp-like phone app aimed at helping Donald Trump’s supporters find businesses friendly to MAGA-hat wearing chuds is going about as well as you’d imagine.

After security flaws in the app were made public Monday night, the developer behind “63red Safe” flipped his shit online and threatened to sic the FBI on the researcher who had outed its sloppy source code.

63red rolled out roughly a week ago, as the Daily Beast first reported, and is geared toward enabling users to rate restaurants, for instance, based on whether they “serve persons of every political belief” and “allow legal concealed carry,” among other criteria unrelated to the quality of their food or cleanliness of their bathrooms.

A French researcher who goes by the Mr. Robot-themed handle Elliot Alderson tweeted that they’d reviewed the Android build of the app and discovered several urgent issues — the first being that the credentials of the app’s designer, Scott Wallace, appeared hard-coded into the application itself.

Alderson also found there was no authentication required to access 63red’s backend API, meaning essentially anyone could download the purportedly private information of its users, including their user IDs, email addresses, profile pictures, and more. More than 4,400 users had created a profile on the app so far, they said.

Alderson also noted that, given the unsecured API, it would likely be simple to download the entire user database en mass.

“Do not use this app, your personal security is at risk,” Alderson concluded. 63red was not pleased.

The company fired back on Tuesday with what begins as very Facebook-esque response, promising that it takes it’s security “very seriously,” that security is its “primary concern,” and that it would continue to improve its “systems in any way possible” to guarantee the safety of its users. And if only it had stopped there.

“As we have seen across the United States, conservatives particularly have come under attack for their political beliefs — verbally, physically, and electronically. This is unacceptable in a free society, and we will take every action to stop it, and assist our users in that as well,” the company said, adding: “We see this person’s illegal and failed attempts to access our database servers as a politically-motivated attack, and will be reporting it to the FBI later today.” (emphasis ours)

It went on to say that the “perpetrator” should be “brought to justice” and that it planned to present its server logs to the authorities “as evidence of a crime.”

To be clear, no apparent crime has been committed here. Based on Alderson’s description and 63red’s own statement, it appears the company simply failed to secure its users information and its admin left his own credentials visible to the public. Nothing was “hacked”.

63red’s reaction is itself a master class in how not to embarrass yourself and further damage your own credibility in response to a security incident. A statement thanking Alderson for pinpointing the now-fixed flaws and a promise not to repeat the foul up going forward would have sufficed.

“I can understand 63red is angry but I’m here to help them, not the opposite,” Alderson told Gizmodo.

Of course, it’s also possible 63red knows its audience very well, and feeding users a line about this all being a politically-motivated conspiracy to discredit the app and its founder—carried out by the French, no less—will only encourage growth.

C’est la vie.


The Cheapest NBN 50 Plans

It’s the most popular NBN speed in Australia for a reason. Here are the cheapest plans available.

At Gizmodo, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.