An anti-vaccine dating website that allows users to procure “mRNA FREE” semen left its users’ personal data exposed online.
The site, Unjected, launched in May 2021 and claims to be the “largest unvaccinated platform” on the internet. Unjected initially made headlines in August after its app was removed from the Apple App Store for violating the company’s policies regarding COVID-19.
Similar in design to Twitter and often referred to as the “Tinder for anti-vaxxers,” Unjected has remained under the radar ever since, quietly adding new features for its small userbase. The site now offers what it describes as “mRNA FREE blood match & fertility directories” where unvaccinated users can donate blood, sperm, or eggs to one another.
While some of the ads for blood appear legitimate, others, such as one offering up unvaccinated semen, appear to have been made in jest. The site’s fertility section allows users the option to offer up their eggs, breastmilk, or semen. Users can also offer to be a surrogate.
Yet, according to the programmer and security researcher known online as GeopJr, the site’s administrator dashboard was openly accessible to anyone. The dashboard allows Unjected’s administrators to add, edit, or deactivate pages, such as the website’s “About Us” section, as well as users’ accounts.
The discovery was made after GeopJr noticed that Unjected’s web application framework had been left in debug mode, allowing them to learn pertinent information “that someone with malicious intent could abuse.”
After the Daily Dot set up a test account on the platform, GeopJr was able to change the account’s private email address, username, and profile picture. GeopJr was also able to edit a public post made by the Daily Dot and change its wording.
Other data such as the site’s backups could be downloaded or deleted. GeopJr was able to give away $15 per month subscriptions to Unjected as well as reply to and delete help center tickets and reported posts.
Speaking with the Daily Dot, GeopJr argued that the site appeared to have been set up hastily and that basic security protocols were ignored.
“Almost none of the actions an admin or a user can take require any kind of authentication whatsoever,” they said. “Anyone can directly manipulate parts of its database and its content.”
The Daily Dot emailed well over a dozen users after being provided with the private email addresses for the site’s roughly 3,500 members to further confirm the authenticity of the leak. While none of the users responded directly, one user admitted to being contacted and posted the Daily Dot’s email to Unjected’s feed. Another user contacted the Daily Dot over Twitter to inquire about the post.
Numerous users on the email list even purported to work in the medical field. A search for one such email address led to a LinkedIn page for a woman who claimed to be a mental health specialist with expertise in “Quantum Medical Hypnosis.”
Unjected’s co-founder Shelby Thomson acknowledged learning of the security issues in a comment on the platform after users contacted by the Daily Dot began reaching out to the site’s support desk.
In an email to the Daily Dot, Thomson stated that she would alert her technical team to the issues outlined by the Daily Dot and begin fixing the vulnerabilities. Shortly after, users reported running into numerous glitches on Unjected that made their personal information even more exposed than before.
One user who was met with a message stating that his account did not exist while attempting to log in to the Unjected app claimed that, after registering a new account, the app asked for and published his home address.
“I’m trying to be as kind as possible when I say, take the app down now before you end up in the courts and don’t release it until you do proper software development testing on it,” the user wrote on Unjected. “I take my privacy and security very serious and your app has several violated trust, security, privacy and safety.”
In response to the scathing post, another user claimed that upon logging in they were redirected to a page of code from the site’s backend revealing their email address, IP address, browser information, and more. The Daily Dot also saw the same page and information regarding its test account shortly after Unjected said that it began fixing the issues.
“I agree that this site should be taken offline until they get all the security issues resolved,” the second user said. “As a precaution I have removed my profile photo, switched to a burner email address and removed all personal information from my profile. It basically defeats the whole purpose of using this site, but I don’t feel there is any level of security here.”
A follow-up email by the Daily Dot to Thomson regarding the new issues went unanswered on Thursday. Early Friday, the entire site went temporarily offline before returning. Although some of the issues had been fixed, others remained.
Thomson did not respond to a subsequent follow-up email from the Daily Dot regarding the prevalent issues on Friday but shared numerous inspirational quotes on her Unjected profile. The site was taken offline multiple times over the weekend, returning with only some of the issues fixed before going down once again.
The Unjected website was brought back online today. Thomson has not made a public statement about its return. The most critical issue, the exposure of user data, has been fixed. Numerous non-critical bugs remain.
This post has been updated.