No less than three individuals warned Quittr, an app that desires to assist males cease masturbating, about severe safety points for months, however the creators of the app didn’t repair them till weeks after 404 Media reached out for remark a number of occasions.
“I emailed the founders and defined the vulnerability. A developer responded, mentioned he was ‘wanting into methods to make our safety higher,’ and requested how I discovered it. I walked him by it step-by-step, even defined that the API key being client-sided is regular for Firebase and that they simply wanted to implement safety guidelines,” an impartial researcher who goes by Kaeden, mentioned on her private weblog. “Then nothing. I adopted up. No response. I adopted up once more. Nothing.”
I first wrote about Quittr’s safety vulnerability in January after listening to in regards to the app’s safety issues from a special impartial safety researcher. On the time, I didn’t title the app as a result of Quittr didn’t repair the problem regardless of reaching out to the builders about it a number of occasions. That safety researcher discovered that Quittr had a misconfiguration situation in its use of the cell growth platform Google Firebase, which by default makes it straightforward for anybody to make themselves an “authenticated” consumer who can entry the app’s backend storage the place in lots of cases consumer knowledge is saved.
That researcher initially contacted Quittr in regards to the situation in September. Quittr’s founder, Alex Slater, acknowledged the problem, thanked the researcher, and mentioned he would repair it in a matter of hours. When the researcher noticed the problem nonetheless wasn’t fastened months later, they contacted 404 Media. I reached out to Slater and Quittr a number of occasions. Slater initially denied there was a safety vulnerability, however then fastened the problem someday earlier than March 10. After this, I noticed Quittr lastly fastened the vulnerability and revealed one other story naming the app.
Slater was additionally just lately profiled in New York Journal, which detailed the opulent life-style the success of Quittr has afforded them, together with driving unique tremendous automobiles and residing in a Miami mansion. Slater shares movies about his life-style on his private YouTube channel as effectively.
A few of the knowledge the researcher may entry included customers’ age, how usually they mentioned they watched porn, and written confessions about their porn watching habits. Lots of the customers self-identified as minors, based on the information.
In March, Kaeden offered me with emails displaying he contacted Quittr about the identical vulnerability on July 3, 2025.
“Your firebase (Database) is misconfigured its potential to learn/write to something, one of many issues its potential to do for instance is listing all customers and their information, which is fairly unhealthy for an app of this nature,” Kaeden mentioned in her electronic mail to Quitter. Kaeden additionally instructed Quittr precisely how one can repair the problem and mentioned {that a} bug bounty “can be extremely appreciated” however he by no means obtained one.
A Quittr developer who recognized as Caio emailed Kaeden asking for extra info and thanked her for responsibly disclosing the problem. Kaeden offered that info, however by no means heard again.
Since publishing my story about Quittr in March, yet one more impartial safety researcher, who requested to stay nameless, contacted me to say additionally they notified Quittr a few related vulnerability in August 2025. Altogether, three totally different safety researchers instructed Quittr it was jeopardizing delicate consumer knowledge earlier than 404 Media reached out to the app for remark in regards to the situation not being fastened.
Concerning the writer
Emanuel Maiberg is interested by little recognized communities and processes that form know-how, troublemakers, and petty beefs. Electronic mail him at emanuel@404media.co
Extra from Emanuel Maiberg
