Websites and apps around the world encourage researchers to find bugs in their system, but an Internet dating app for HIV positive people threatens the security researchers with HIV infection if they notify the company about any security bug in their app.
Hzone, an application for HIV-positive singles that has over 4900 users was told by a security researcher (Chris Vickery) that their application is leaking user data but the company didn’t respond. The security researcher then informed Databreaches.net regarding the leak, thereafter admin of databreaches received HIV infection threats from the officials running the app.
“Why do you want to do this? What’s your purpose? We are just a business for HIV people. If you want money from us, I believe you will be disappointed. And, I believe your illegal and stupid behavior will be notified by our HIV users and you and your concerns will be revenged by all of us. I suppose you and your family members don’t want to get HIV from us? If you do, go ahead.”
Excerpt from the email databreaches admin received after he identified the security to dating app.
Though, Hzone, later on, apologized for the email and also said it will take time for them to fix this but accused the researchers and Databases.net for altering information which made it difficult for the company to understand on how to secure their user data.
The company further said that the exposed information was accessed through just single IP address, which is not true because Vickery accessed the data from multiple IP addresses.
The data leak was eventually plugged, but at one point, the email conversations got really silly, with the Hzone developers saying (via Salted Hash):
Hzone has some other problems too like once a profile has been created its data cannot be deleted even if the user no longer uses the application. So, if there is a data breach of the app in future, people even not using the app will have their details exposed and there is no system of notifying users regarding the breach.
As far as the researcher, Vickery is the same security researcher who previously found 13million MicKeeper customers’ data online.