Build the right model before making loud claims

How Public Dating Security Actually Works

Profiles, likes, APIs, photos, and scraping are often compressed into one word: "leak." That makes a dramatic post, but it makes poor security analysis. This guide separates normal open-service behavior from a genuine bypass of protection.

Dating LLC16 minute read
01 DisplayWhat a participant intentionally publishes to others
02 ActionWhat an authenticated user is allowed to do
03 ScaleHow a service constrains automation
04 SecretWhat must never become public

The base model

The same request can be normal, abusive, or dangerous. Context decides which

In security, "I received a profile through an API" is not enough. We must establish who the profile was meant for, whether authentication existed, which fields were returned, whether a server rule was bypassed, and at what scale the request was repeated.

An open dating service is designed to show profiles to other participants. The server accepts a request, selects a suitable card, and returns a name, bio, city, interests, and published photos. That is useful functionality. The same request becomes a problem if it exposes private chats, payment records, internal fields, or content the user never published.

Layer 1

Visibility

Who may see a particular profile and its public fields.

Layer 2

Authority

What a signed-in user may do: like, report, or message.

Layer 3

Scale

How many cards and actions can be obtained over time and per account.

Layer 4

Secrecy

Which data remains private regardless of interface or subscription.

The central error in sensational framingWhen these four layers are collapsed, a public photo becomes a "leak," an ordinary like becomes a "bypass," and automation becomes "database access." Technically these are separate claims, and each needs separate evidence.

The data boundary

A public profile does not mean an entire account is public

A user publishes a profile in order to be discovered. A profile photo, display name, stated age, bio, and selected interests are therefore intended for other people in the service. Visibility is not a contradiction in this model. It is the purpose of publishing.

At the same time, the service holds data that is not intended for general viewing: access tokens, moderation history, payment records, internal signals, private conversations, and technical logs. The meaningful security boundary lies between these groups.

Public layerProfile and selected media

Displayed to participants as part of the product.

Private layerChats, payments, and tokens

Must not be disclosed to unrelated users.

Conditional layerIncoming likes and relationships

Access depends on product rules, plan, and consent.

Operational layerModeration and internal analytics

Available only to the server and authorized staff.

Calling an entire API response "personal data in the open" without examining its fields is like calling a shop window a breached warehouse. The window really is visible. That proves nothing about access to the stockroom.

APIs without mystique

An API is how the interface talks to the server, not a special door for attackers

When someone presses a button in Instagram, TikTok, Telegram, or Mimolet, the app sends a request. That request can be observed in developer tools. The fact that it can be repeated manually does not establish a bypass. Security belongs on the server because every client can be modified.

The right question is not "can the API be called?" It is "does the server verify identity, status, authority, and limits on every call?" If it does, a technical client receives the same powers as the normal interface. If it does not, there is a meaningful issue.

NormalAn authenticated participant calls a permitted function
ProblemThe server trusts a hidden button or JavaScript instead of its own check
NormalAnother client reproduces the request under the same rules
ProblemAnother client removes a subscription, ban, consent, or limit
API security is not determined by whether a request can be sent. It is determined by whether the request can obtain more authority than the server granted.

Likes and open dating

Being able to like a known public profile is normal product behavior

Dating exists so people can discover one another and express interest. If a participant has already seen a public profile in the feed, a top list, search, or an internal link, the ability to react is logical. Whether the request comes from the official interface or another technical client, authority is still defined by the server.

The phrase "the API can like anyone" needs three qualifications. First, the target is an existing public profile, not access to someone else's account. Second, an authenticated user sends the request in their own name. Third, the action remains subject to server rules and limits.

Normal behavior: user A sends a like to public profile B within A's daily allowance. A real vulnerability would exist if A could act without signing in, impersonate C, continue after a ban, or exceed a server-side limit.

Current Mimolet likes are limited by the server according to plan: 60, 250, 500, or 1,200 actions per day. The ability to reach a reaction route is therefore not the same as unlimited bulk action.

Public photos

If a photo is displayed, it can be saved. No social network can repeal that fact

To display an image, a server must deliver it to a browser or app. After delivery, a user can take a screenshot, record the screen, inspect the cache, capture the network response, or photograph the display with another device. This is not a Mimolet peculiarity. It is how public content works on Instagram, TikTok, Telegram, and ordinary websites.

A presigned URL is useful when access to the source object should expire. It complicates later reuse of the old link, but it cannot erase a downloaded file. Disabling the context menu hides a menu, not data. A watermark supports investigation but does not prevent copying. DRM raises the cost of video extraction but still cannot stop screen recording.

PossibleDisable object enumeration

A visitor does not receive the inventory of the whole storage system.

PossibleRemove predictable names

UUIDs make neighboring objects harder to guess from sequential IDs.

PossibleConstrain bulk requests

Limits and behavioral signals raise the cost of collection.

Impossible promisePrevent saving what was displayed

A pixel delivered to a person has already crossed the service boundary.

Honest security does not sell a physically impossible promise. It minimizes unnecessary disclosure, separates public and private data, makes bulk collection harder, and responds quickly to abuse.

Object storage

Access to one public file and a listing of the entire S3 bucket are fundamentally different modes

A public profile photo must load from an exact URL or the card will be blank. That does not mean the server should provide a list of every file. Listing is a separate operation that exposes structure and object names. That is what should be closed.

Anonymous Mimolet bucket listing is now disabled and returns HTTP 403. Current new media use UUID names, and locked incoming-like previews do not embed the real user ID in the path. This reduces the ability to guess adjacent objects. The exact image for a public profile remains available by design.

Exact objectThe app loads the photo it is supposed to display
ListingThe storage system enumerates every name and directory
Current statusAnonymous listing is closed: HTTP 403
Current statusPublic media requires an exact opaque path

Scraping without magical thinking

Automation cannot be eliminated. It can be made expensive, bounded, and visible

A script can reproduce user actions. The more public a service is, the more surfaces it offers for automation. Search engines crawl pages, analytics systems collect prices, marketing tools analyze social networks, and abusers imitate browsers. There is no universal "disable scraping" switch.

A rate limit reduces speed, but distributed collection uses many addresses and accounts. CAPTCHA filters simple scripts but harms accessibility and can be outsourced. Device binding helps but creates friction when phones change. Protection is therefore layered and proportional to actual risk.

Layer 1Authentication

An anonymous visitor does not receive a personalized user feed.

Layer 2Budgets

Reads and actions are bounded on the server.

Layer 3Opacity

UUIDs and cursors avoid simple sequential enumeration.

Layer 4Signals

Frequency, patterns, and anomalies help detect automation.

"Automation is possible" does not imply "a private database was obtained." Data category, authority, speed, sample completeness, and the ability to bypass control budgets all sit between those statements. The Habr framing jumps over those steps and selects the most alarming label.

Terminology

IDOR begins with broken object authorization, not with the existence of an ID

IDOR occurs when changing an identifier gives a user an object they have no right to access. The important element is not the shape of the ID or the ability to edit a URL. It is the missing authority check.

If every participant is allowed to see a public profile, requesting that profile by a known identifier does not by itself prove IDOR. If the same technique reveals a hidden profile, someone else's chat, an unpublished file, or an internal field, the boundary has been crossed.

Not proof of IDORA client-controlled identifier

Clients necessarily send identifiers in most applications.

Not proof of IDORViewing an authorized public object

The product model already grants that visibility.

Proof of a problemObtaining an object outside the allowed scope

The server failed to verify the user-to-object relationship.

Proof of a problemDisclosure of unnecessary private fields

Even a public object must not include internal data.

Subscriptions and product logic

Liking a known profile and revealing who liked you are not the same feature

Premium dating plans often provide incoming likes, advanced filters, priority, and larger limits. That does not mean the subscription sells the right to like a specific person. If a profile is already known through the public product, an ordinary reaction remains an ordinary reaction.

To prove a Premium bypass, a free user must obtain the paid result itself: a real identity in incoming likes, an original photo, bulk processing, or another gated capability. The existence of a general reaction route proves none of those outcomes.

The current free incoming-likes response in Mimolet does not reveal the real ID, name, or original photo URL. Bulk response verifies the subscription on the server. The claim should be evaluated against that current result, not against the superficial similarity of two buttons.

Sessions, devices, and bans

Multiple active sessions are normal. Session fixation is a specific attack

A user may sign in from a phone, browser, and Telegram Web. Each context receives a session. Several working tokens do not show that an attacker forced a victim to use a session identifier already known to the attacker. Without that mechanism, the session fixation label is incorrect.

Rigid IP binding is not a universal baseline control either. Mobile addresses change between towers, CGNAT groups thousands of people, and VPNs switch exit nodes. Such a check creates mass false logouts and offers little protection against an attacker on the same network.

The meaningful test is whether a blocked account can continue protected actions. The current Mimolet API checks blocked status on every authenticated request. The decision is made by the server, not merely by the screen to which the user is redirected.

Historical code and the current product

A technical article becomes stale when it continues to present removed routes as today's architecture

The first publication bases much of its story on several PHP files and a negative offset. Those entry points no longer serve the product. Current Mimolet uses a different API with mandatory authentication and server-side checks.

Cited in the articleCurrent state
profile_view.php404route removed
feed_classic_api.php404route removed
test.php404diagnostic file removed
Negative offsetGonenot present in the current feed
Current profile and feed without login401authentication required

Today's 404 responses do not rewrite history or prove the state of a particular day in the past. They prove something narrower: those old routes cannot describe the current product. A current conclusion requires testing the current architecture.

From a network response to a business fantasy

An API does not reveal contracts, accounting, advertisers, or bank accounts

The number of collected profiles does not reveal monthly active users. Telegram channel subscribers do not reveal app activity. An LLC registration address does not establish a tax violation. Network traffic cannot expose advertising contracts that do not exist.

Nevertheless, the publication combines these unrelated numbers into a story about ad sales, "unofficial accounts," investors, and intentionally weak security. None of those conclusions came from access to contracts, bank records, accounting, or company analytics.

Mimolet factAdvertising has never been sold

The product has no advertisers or advertising revenue.

Mimolet factThe operator is official

The service is owned and operated by Dating LLC.

Mimolet factThere are no "unofficial accounts"

The allegation is not based on payment records.

Method errorGeography proves no violation

Development location and an LLC address are not technical evidence of a scheme.

A technical test can prove a server response. Without additional sources, it cannot prove an owner's motive, movement of money, or an advertiser relationship.

Scores, icons, and authoritative presentation

CVSS measures a specific vulnerability through a vector. It is not a scale of textual emotion

A CVSS score is built from formal parameters: network reachability, complexity, required privileges, user interaction, and impact on confidentiality, integrity, and availability. A verifiable score includes the complete vector and exact exploitation conditions.

The source text places "criminal prosecution," "loss of advertisers," and "payment blocking" next to self-assigned numbers. These claims are not CVSS parameters and do not automatically follow from a technical observation. The forecast of lost advertisers is especially revealing for a product that never sold advertising.

Legal classification also depends on the data involved, processing mode, operator actions, and applicable law. Writing "violation" under a table does not turn a private opinion into a regulator or court decision.

A verifiable example from the second post

The Exim banner exposed a base version, but the author treated it as the full Ubuntu revision

The sequel used Exim 4.97 Ubuntu as evidence of CVE-2026-45185. That is insufficient on Linux distributions because security fixes are often backported without changing the upstream base version. The external banner does not expose the Ubuntu package suffix.

Ubuntu's official security page states that the fix for Ubuntu 24.04 entered package 4.97-4ubuntu4.5. That revision was installed on the server on May 14, followed by .6 on June 3. The post appeared on June 27. The claim of a vulnerable version was therefore wrong on its publication date.

Fixed package 4.97-4ubuntu4.5 installed
Next revision 4.97-4ubuntu4.6 installed
Claim of a vulnerable version published from the abbreviated banner
Official Ubuntu Security page for CVE-2026-45185Ubuntu 24.04 LTS status and the fixed package revision

Research quality

A large dump does not replace minimal proof, and AI-style writing does not replace verification

A bug can usually be demonstrated with minimal reproduction using the researcher's own or purpose-built test data. Downloading thousands of profiles does not prove the mechanism more strongly. It only increases the amount of other people's data held by the researcher and the consequences of the researcher's own actions.

The publication contains visible signs of generation or heavy AI editing: repeated severity and business-impact matrices, mechanical analogies, emoji risk levels, formulaic summaries, and confident conclusions where sources are missing. This does not prove a specific model, but it helps explain why the format feels stronger than the evidence.

Sample12,340 profiles are not total MAU

Monthly activity measures visits over time, not one obtained dataset.

AgeA 15-19 group is not an under-18 group

An aggregate band cannot directly establish the claimed child percentage.

AuthorshipAI style does not automatically disprove a fact

Every fact still needs a reproducible check.

EthicsData minimization applies to researchers too

Collecting everything available is unnecessary for responsible reporting.

What matters today

Real Mimolet security is measured by current boundaries, not archived drama

No live service ever finishes security work. Limits are refined, anti-bot signals grow stronger, legacy routes are removed, and authorization rules receive regression tests. But an endless pursuit of impossible absolute protection should not replace the business reality of an open product.

  • Current profile and feed routes require authentication and return 401 without login.
  • The cited legacy routes and diagnostic file have been removed and return 404.
  • Blocked-user status is checked on every API request.
  • Likes are limited by the server, not only by the interface.
  • Free incoming likes do not reveal real IDs, names, or original media paths.
  • Anonymous S3 listing is disabled, and new media names are not based on Telegram IDs.
  • A displayed public photo remains saveable because otherwise it could not be displayed.

The precise formula is simple: public content is a product model, an API is a transport, scraping is a scale risk, and a vulnerability is a demonstrated bypass of a specific boundary. Mixing these concepts is useful for sensation and useless for security.

Official Mimolet response with technical statusThe first detailed review of routes, S3, sessions, business allegations, and Exim Public dating is not a data breachThe second, more direct review of the publication's category errors
Official serviceMimolet

Mimolet, Mimolet Bot, mimoletbot, @mimoletbot, Мимолет, and Мимолет Бот are names for the same product operated by Dating LLC.

Open @mimoletbot

Sources and related materials

  1. Habr publication dated May 4, 2026
  2. Second Habr post dated June 27, 2026
  3. Official Ubuntu Security page for CVE-2026-45185
  4. Official Mimolet response to the publications
  5. Logic-first analysis of the public-dating claims

This article reflects verified product status and available sources as of July 17, 2026.