[filldorns]

I really think you didn't do anything interesting in this post. This is because you need to authenticate to log in via OTP, and from that point on (with your IP and everything else) the system knows that it released this data specifically for you.

Even if you had managed to log in without authenticating, all users know that by uploading images there, they become public. It's worth noting that the coordinates of each user were not sent to you in the response, only those of users who are relatively close.

In short... using a dating app means knowing that you are in a public environment, just like going to a shopping mall, party, park...

[dozheiny]

I get what you’re saying, but I think you’re missing the point. Yes, the app needs OTP to log in, and yes, uploaded images are technically public—but what I was showing is different: once you’re authenticated, there’s basically no access control on user images. That’s not about OTP or being in a “public environment”; it’s a backend flaw. Anyone with minimal scripting can access all user photos without any extra checks.

Also, even if the API only gives “distance,” you can still roughly triangulate someone’s location within 200 meters, which I demonstrated. The post isn’t about blaming users—it’s about showing how sensitive data is exposed by design, which is a real privacy risk.