Common Attacks Against New Apps
IntroductionDev EnvironmentClientTransportServerAppDataMore

Common Attacks Against New Apps

March 19, 2025

Security incidents happen to one-person startups and big companies alike. The pattern is usually the same: shipping fast, growing fast, and treating security as something to add later — until something goes wrong.

Here are real examples of incidents involving small web and mobile apps, and what could have prevented them.

Feeld Dating App – Sensitive User Data Exposure (2024)

Feeld, a UK-based dating app designed for people exploring alternative relationships, faced a serious security incident in 2024. Researchers discovered vulnerabilities that could've exposed private user data, including photos, messages, and sensitive relationship details.

Feeld fixed the issues within two months, but the situation highlighted how easily personal data could have been accessed.

How this could've been avoided:

  • Implement proper authorization checks: Sensitive content should always be protected by strict access controls and verified user permissions.
  • Conduct regular security audits and bug bounty programs: Feeld eventually committed to working with ethical hackers—this should've happened before the exposure.

Zapier – Code Repository Breach (2025)

Zapier, a well-known automation platform, experienced unauthorized access to its internal code repositories. Customer data unintentionally copied into debugging logs was potentially exposed. The breach occurred due to a misconfiguration of two-factor authentication (2FA) on an employee account.

How this could've been avoided:

  • Enforce mandatory 2FA on all critical accounts: Especially for developer tools and admin access, 2FA should be non-optional and verified regularly.
  • Avoid storing sensitive customer data in code repositories: Debug logs and development environments should never contain production user data.

Confidant Health – Therapy Session Data Exposure (2024)

A database belonging to Confidant Health, a telehealth startup, was left unsecured and publicly accessible. This leak exposed over 1.7 million activity logs and sensitive audio/video recordings of therapy sessions.

How this could've been avoided:

  • Configure strict database access policies: Publicly accessible databases are almost always misconfigurations. Always apply IP restrictions, authentication, and network segmentation.
  • Implement automated infrastructure security scans: Tools can continuously check for misconfigured storage buckets or databases.

MOVEit Software Breach – Massive Supply Chain Attack (2023)

While not a startup itself, the MOVEit breach affected thousands of organizations, many of them small startups using third-party software without reviewing its security posture. A vulnerability in MOVEit's software enabled attackers to steal sensitive files via SQL injection.

How this could've been avoided (from a startup's perspective):

  • Assess third-party software risks: Startups should perform due diligence when integrating external platforms and regularly monitor vulnerability disclosures.
  • Apply zero-trust principles and isolate critical systems: Even trusted third-party services should have minimal access to sensitive data.

SQL Injection

When user input isn't properly sanitized before using it in database queries, attackers can inject malicious SQL commands. This can lead to unauthorized data access, complete database deletion, or even server compromise. In 2017, the Equifax breach exposed 147 million customers' personal data due partly to SQL injection vulnerabilities. Even small apps aren't immune—a local restaurant's ordering system was compromised through SQL injection, leaking customers' credit card information.

Cross-Site Scripting (XSS)

This occurs when your app displays unvalidated user input. Attackers inject malicious JavaScript that executes in other users' browsers. In 2014, eBay had an XSS vulnerability that allowed attackers to create legitimate-looking listings containing malicious JavaScript. On a smaller scale, an indie game developer's community forum was compromised when attackers injected scripts into profile descriptions that stole other users' login credentials.

Broken Authentication

Flaws in login systems are extremely common in new applications. The 2018 Panera Bread website leak exposed millions of customer records because the site didn't properly authenticate API requests for customer data. In another case, a small fitness tracking app had no brute force protection, allowing attackers to systematically guess passwords and access users' health data and running routes.

Insecure Direct Object References (IDOR)

This happens when your app accesses objects based on user-supplied input without proper authorization checks. In 2021, a major dating app had an IDOR vulnerability that allowed accessing other users' location data by simply changing ID numbers in API requests. A similar issue affected a portfolio site for photographers where changing the image ID in the URL revealed private commissioned work that wasn't meant to be public.

Cross-Site Request Forgery (CSRF)

These attacks trick authenticated users into performing unwanted actions without their knowledge. In 2018, cryptocurrency exchange platform Coinbase patched a vulnerability that could have allowed attackers to drain users' accounts through CSRF. A smaller example involved a self-published author's website where an attacker created a malicious page that, when visited by the admin while logged in, changed book prices to $0.

Missing Rate Limiting

Without limits on how frequently actions can be performed, attackers can abuse your systems. In 2020, Zoom faced criticism for allowing unlimited password attempts without lockouts, enabling credential stuffing attacks. A small business's appointment booking system was overwhelmed when a competitor used automated tools to book and immediately cancel hundreds of fake appointments, preventing legitimate customers from scheduling.

Exposed Secrets and API Keys

In 2024, researchers found over 3 million GitHub repositories leaking API keys and other secrets. The consequences are real: one indie game developer accidentally exposed their AWS keys in a public repository, resulting in cryptocurrency miners being deployed on their account, generating thousands of dollars in unexpected charges in just 24 hours.

Outdated Dependencies

The massive 2017 Equifax breach affected 147 million people and resulted from failing to patch a known vulnerability in Apache Struts. On a smaller scale, a local nonprofit's donation page was compromised because it used an outdated version of a payment processing library with a known vulnerability, resulting in donations being redirected to fraudulent accounts.

Improper Error Handling

The 2019 Capital One breach exposed data of over 100 million customers partially due to misconfigured error handling that revealed too much information. A small e-commerce site for handmade goods unintentionally leaked customer shipping addresses through detailed error messages when order processing failed.

Lack of HTTPS

In 2017, all Starbucks user accounts were potentially exposed when their website failed to use HTTPS for login forms. A local music teacher's student portal transmitted lesson recordings and payment information without encryption, allowing a malicious actor at the same coffee shop to intercept student data and payment details.

Nie musisz być ekspertem od bezpieczeństwa, żeby unikać tych błędów. Nowoczesne frameworki mają wbudowane zabezpieczenia przed wieloma z nich — o ile korzystasz z nich zgodnie z dokumentacją i nie piszesz własnych rozwiązań od zera.

Każdy atak opisany w tym poście ma dedykowany post z dokładniejszym omówieniem mechanizmów i sposobów ochrony:

Jeśli szukasz miejsca, od którego zacząć testowanie bezpieczeństwa własnej aplikacji, DIY Security Testing pokazuje darmowe narzędzia i podstawowe metody.

Źródła: OWASP Top 10, Feeld Dating App Vulnerabilities — The Register (2024), Zapier Code Repository Breach — TechRadar (2025), Confidant Health Database Exposure — HIPAA Journal (2024), MOVEit Supply Chain Attack — CISA Advisory AA23-158A