Published March 13, 2019
The app, 63red Safe, has been grabbing headlines as a Yelp-like service that directs conservatives to businesses and restaurants that welcome all political beliefs. However, on Monday, French security researcher Robert Baptiste tweeted about a problem he found in the app's computer code: It contains an API vulnerability that allowed him to access the user database.
With such access, Baptiste was able to view the email addresses for 4,466 registered users in addition to their usernames, profile pictures, follower counts, and more. He also found that he could potentially block users from accessing the app, as well as insert new logs into the database.
"Conclusion: Do not use this app, your personal security is at risk," he said in a tweet, which was attached to a GIF of former President Barack Obama dropping a microphone. "In order to #MAGA, you can start by learn [sic] how to code an application," the tweet added.
In response, Baptiste told PCMag he merely decided to investigate the app out of curiosity after finding a vulnerability in another Trump-themed app. Last October, he discovered a serious security flaw in a dating app aimed at conservatives that was also leaking users' data, including their private chats.
"I'm French and a professional security researcher. I don't care about US politics," he said in a Twitter direct message.
Usually, security researchers are thanked, and even rewarded, for finding software vulnerabilities. But Baptiste said his findings clearly had the opposite effect on 63red. "It's a really bad sign and by doing that they are threatening the whole infosec [information security) community," he added.
The specific vulnerability in the 63red Safe app deals with an API that can let outside applications interact with the app. Ideally, the API should be secured with some kind of authentication. However, Baptiste noticed something odd when he decompiled the code for the app. The login credentials for the API were embedded in the app's source code.
"I did not hack your app, I read the available source code and I used your unauthenticated APIs. It's equivalent to us[ing] your app," he said in a tweet.
63red claims to have fixed the issue, but according to Baptiste the vulnerability has yet to be fully patched because no update to the app has been published. "I'm staying at the disposal of 63red if they need help to fix the issue," Baptiste added.
63red, which was founded by life-long Republican Scott Wallace, didn't immediately respond to a request for comment. The app itself was launched a week ago, but has received numerous negative reviews from what appear to be anti-Trump supporters.
Access to the reviews on the app also appear to be down. "We're sorry! Our 63red Safe app is experiencing heavy traffic right now, and may not load correctly," the website for the app currently says.