A mobile app marketed as a tool to help people curb or quit pornography use has left vast amounts of extremely sensitive user data publicly accessible, including detailed information about users’ sexual habits, emotional struggles, and ages. According to a security researcher who uncovered the issue, the exposed records include data that appears to belong to a significant number of minors.
The exposure was caused by a configuration error in the app’s backend system, allowing unauthorized individuals to access user information without special permissions. Despite being alerted months ago, the app’s developer has not fixed the vulnerability, the researcher said.
Because the security flaw remains active and the data is still accessible, the app’s name is being withheld to avoid further endangering users’ privacy.
Intimate Behavioral and Emotional Data Left Unprotected
The exposed records include information users voluntarily provided while using the app, such as their age, how frequently they consume pornography, emotional responses tied to that behavior, and what they believe triggers their habits. In many cases, users were also assigned internal “dependence scores” that appeared to assess the severity of their behavior.
Some profiles included deeply personal self-reported symptoms, such as difficulty concentrating, loss of motivation, memory problems, and mental fatigue often described as “brain fog.”
One profile reviewed showed a user who stated they were 14 years old. According to the data, the user reported viewing pornography multiple times a week, sometimes as many as three times in a single day. They identified boredom and sexual urges as key triggers and described ongoing struggles with focus, ambition, and mental clarity.
The researcher said examples like this were not isolated incidents, but part of a much broader dataset.
Hundreds of Thousands of Users Potentially Impacted
The security issue was discovered by an independent researcher who requested anonymity, citing concerns about retaliation or harassment. The researcher said they were able to access data associated with more than 600,000 user accounts.
Within that dataset, roughly 100,000 users appeared to identify themselves as minors, raising serious concerns about the handling of children’s data, particularly given the sensitive nature of the information involved.
Beyond structured data fields, the app also encouraged users to submit personal reflections or confessions about their struggles. These free-form entries often revealed emotional distress and vulnerability.
One such entry read: “I just can’t do this man I honestly don’t know what to do know more, such a loser, I need serious help.”
The researcher said they first notified the app’s creator about the vulnerability in September, outlining the problem and urging immediate corrective action.
Firebase Configuration Error Enabled Data Exposure
At the center of the issue is a misconfiguration involving Google Firebase, a widely used platform that provides backend services such as authentication and cloud database storage for mobile apps.
Firebase is designed to be easy for developers to use, but its default settings can expose databases if developers fail to properly restrict access. According to the researcher, the app’s Firebase setup allowed nearly anyone to authenticate themselves and view backend data that should have been private.
Security experts say this type of misconfiguration has been widely known for years and continues to be one of the most common causes of large-scale data exposure in mobile apps.
App Creator Rejects Findings and Denies Exposure
When contacted by phone, the app’s founder disputed the researcher’s claims and denied that any sensitive user data had been exposed. While acknowledging prior communication with the researcher, he rejected the findings outright.
“There is no sensitive information exposed, that’s just not true,” the founder said. “These users are not in my database, so, like, I just don’t give this guy attention. I just think it’s a bit of a joke.”
He also suggested that the information reviewed by the reporter could have been fabricated.
However, when asked why he had previously thanked the researcher for responsibly disclosing the issue and indicated he would urgently fix it, the founder ended the call after wishing the reporter a good day.
Vulnerability Confirmed After Denial
Following the conversation, a new account was created on the app to independently test whether the exposure still existed. According to the researcher, the newly created profile appeared almost immediately in the same open Firebase database.
This test indicated that the vulnerability remained active and that new user data continued to be exposed, contradicting the developer’s claim that no such data existed or was accessible.
Security Experts Warn Issue Is Common and Preventable
Cybersecurity professionals say the situation reflects a broader, systemic problem rather than a rare technical failure.
Dan Guido, CEO of cybersecurity firm Trail of Bits, described Firebase misconfigurations as a “well known weakness” that is relatively easy to identify and exploit. In an email, Guido said his firm recently demonstrated how quickly such flaws can be found.
He noted that Trail of Bits was able to build a scanning tool using Claude, an AI assistant, in just 30 minutes to detect open Firebase databases.
“If anyone is best positioned to implement guardrails at scale, it is Google/Firebase themselves,” Guido said. He added that Google could detect unsafe configurations, issue strong warnings, or block insecure production setups altogether.
Guido compared the situation to earlier issues involving Amazon S3, a cloud storage service that historically exposed large volumes of sensitive data until Amazon implemented stricter safeguards.
Questions Raised About App Store Oversight
The researcher also criticized Apple’s app review process, arguing that it focuses heavily on design and user interface details while overlooking backend security.
“Apple will literally decline an app from the App Store if a button is two pixels too wide against their design guidelines,” the researcher said, “but they don’t, and they don’t check anything to do with the back end database security you can find online.”
The researcher argued that apps handling highly sensitive information—especially those used by minors—should be subject to stronger security checks before being approved for distribution.
