🔓 Found critical vulns in Taimi (LGBTQ+ dating app) - all fixed, $10k bounty
What I found:
- "Expiring" videos didn't expire, URLs stayed valid forever
- Decrement attachment ID = anyone's private videos
- Location feature bypassed photo permission checks (why upload a map preview image through the photo system??)
- Fake system messages (made a Raid Shadow Legends sponsorship lol)
The good news: Taimi actually handled this right. Fast response, $10k bounty, everything fixed quickly. No lawyers, no threats.
This is how disclosure should work. Take notes, Lovense.
Full writeup: https://bobdahacker.com/blog/taimi-idor
#InfoSec #BugBounty #ResponsibleDisclosure #IDOR #Taimi #DatingApp #Security #Privacy #CyberSecurity #LGBTQ
