A security researcher discovered that Unjected, a website promoting meetings between unvaccinated people, exposed the data of all its subscribed users. Unjected has been called “Tinder for anti-vaxxers.”
Unjected has been around for several years but has a following of only a few thousand people. The website also has some apps on Android and iOS, but Apple kicked Unjected’s app off its store for breaking COVID-19 regulations.
According to a report on Monday by Daily Dot, security researcher GeopJr discovered that the website’s security policies were definitely lacking. He was able to easily access the administrator dashboard and take control over the entire website. This meant that he had access to subscribed users’ data and all of the website’s functions, including deleting the underlying database.
Daily Dot contacted site co-founder Shelby Thomson regarding this issue during its investigation. He admitted that some of the around 3,500 users complained about the issue and promised to notify the technical team.
Unjected’s team made some modifications to the website, but the problems only got worse. Some users reported seeing pages of code instead of the website, displaying personal information like email addresses and IPs.
Soon after, Unjected’s website went down for a few days and returned with some of its problems fixed, including the issue of access to the admin account. However, security researchers say that other critical bugs for the website still remain.