A Tinder-style, dating-come-social app for pot users has been exposed as having “student level security” that could be easily accessed by law enforcement or hackers.

The HighThere! app was first made widely available in the Apple App Store and on Google Play in April 2015 and matches users based on several factors, including how marijuana affects them personally as well as how they prefer to consume it, along with aspects unrelated to getting stoned such as interests and hobbies.

While the similarities to Tinder are obvious, they stop with the technology being used; Tinder matches users via geolocation data that is stored on their own server, whereas HighThere! computes how close users are by sending the app itself a copy of the location data then has a user’s phone compute the distance from the other person.

If that’s not bad enough, the location data is sent unencrypted as well.

According to Synack Security, who spoke to Mic, what that means is that “HighThere is constantly bouncing around unencrypted dossiers of its users — confessed marijuana consumers — in the open air for anyone to intercept. That information includes user location, down to the foot.”

The company demonstrated a test where they were able to obtain information on a user named John:

…the Synack team instantly pulled up the information of someone named John and listed his profile information, saying that he preferred to smoke his weed, had a “medium” energy level and listed gaming and music as his interests.

Synack punched John’s latitude and longitude into Google Maps, and everyone on the phone line burst out laughing: John was right around the corner, in the building of a nearby law firm, possibly an employee there.

The firm explained that it would be easy for law enforcement to pick a target area, watch everyone using HighThere on a map and identify dealers by seeing who quickly visits multiple users throughout the day, let alone create a dossier of illegal drug users in the given area.

“You could not write a better tool for arresting people than this,” a Synack employee said.

Practice safe internet

Putting aside that the pathetic level of protection provided to users in this app is a disgrace to begin with, it’s always best to practice safe internet and not share that you’re doing something illegal online, presuming you’re not living in one of the few states that has now legalized recreational marijuana use.

Even if the app itself was actually secure, putting it online anywhere always runs the risk of being detected.

HighThere! issued a statement in response to the story saying that they were “working diligently to enhance our current measures of protecting data” and that “work will be completed in the very near future, with an upcoming release that will include industry standard encryption, throughout all levels of the application.”

Image credit: iliekcake/Flickr/CC by 2.0