Wizz is a social discovery app aimed at teenagers starting from age 13. It is needless to say that it is of great importance to keep these users’ data safe and protected from bad actors. Sadly, even after being taken down from both the Apple App Store & Google Play Store late January of 2024 & resurfacing a couple of weeks later, the app still presents various privacy issues.
Both the city, date of birth and “swipe preference”, the latter of which can be used to determine the user’s sexual orientation, are visible to a bad actor when inspecting HTTP network requests between the Wizz mobile application and Wizz servers. Due to the age of Wizz’ users, this is a serious privacy concern, as it threatens children on Wizz with the risk of getting blackmailed or extorted. We were also able to retrieve device information & preferred age ranges. See below a (modified) response from Wizz’ servers when requesting the profile of a user. For privacy reasons, identifying attributes were removed from the screenshot.
Furthermore, by modifying aforementioned HTTP requests, it is possible to retrieve conversations (DM’s) between any pair of users given their userIDs. There is no access control in place to prevent this, resulting in yet another serious privacy breach. It is needless to say that private messages can be of sensitive nature, especially when shared between minors, who are still discovering their personality & sexuality. Find below an example of a conversation between two arbitrary users, with PII (Personally identifiable information) censored for privacy.
We have also gained visual access to Wizz’ internal moderation & configuration dashboard, showing yet another lack of security. Here we were able to view the tools used by Wizz to perform mass messaging, moderation & configuration of the application. There we also found internal API documentation for Wizz mobile API servers. An endpoint to retrieve Wizz’ active A/B tests, leaking new updates and roll-out percentages was also found to be publicly available.
Lastly we were also able to bypass Wizz’ verification system, which is supposed to “protect” its users. As a proof of concept, we created and verified an account representing Donald Trump, aged 13 years old. Using this exploit, bad actors are able to create a verified account of any person, again putting Wizz users at serious risk of extortion/blackmailing.
That Wizz is inconsiderate about the privacy of their users is the least we can say. As security researchers we hope that this issue can be resolved quickly and that it was not yet abused by the sexual predators Wizz has dealt with in the past.
