HIV dating site threatens security researchers with Aids

face palmAn internet dating app for HIV-positive singles, Hzone, has a novel way of dealing with those who point out its sub-par security – it threatens them with Aids.

Now if I were a dating site for people who had any illness I would want to keep data about my 4,900 users as secret as possible. I would be grateful if someone pointed out a security flaw which exposed my user data.

Security researcher Chris Vickery discovered that the Hzone application was leaking user data, and properly disclosed the security issue to the company. The company refused to answer so Vickery enlisted the help of DataBreaches.net.

DataBreaches.net informed Hzone that the details of the security issues would be written about, the company responded by threatening the website’s admin with HIV infection.

According to a company email, Hzone told the admin: “Why do you want to do this? What’s your purpose? We are just a business for HIV people. If you want money from us, I believe you will be disappointed. And, I believe your illegal and stupid behavior will be notified by our HIV users and you and your concerns will be revenged by all of us. I suppose you and your family members don’t want to get HIV from us? If you do, go ahead.”

Hzone later said sorry for the threat, but it still took them some time to fix their flawed database. However the company accused DataBreaches.net and Vickery of “altering data”, which led to speculation that the company didn’t fully understand how to secure user information.

In one case the outfit claimed that only a single IP address accessed the exposed information, which is false considering Vickery used multiple computers and IP addresses.

Hzone has a few other problems. Once a profile has been created, it cannot be deleted – meaning that if member data is leaked again in the future, those who no longer use the Hzone service will have their histories exposed.

If their details are nicked Hzone users will not be notified. It seems to believe that telling users amounted to publication of their personal data.