Vulnerabilities in the "Flat Earth Clock" app

In October 2024, the HTTP API for Flat Earth Dave's (aka DIRTH) "Flat Earth Sun Moon & Clock" mobile app was found to be leaking passwords. Following attempts to contact and notify Dave and his developers, Blue Water Bay, of this and other issues, and in line with responsible disclosure practices, we published our initial findings of vulnerabilities in our GitHub repo. We have made these results of our investigation public in the interest of the safety and privacy of the app's users, and for the awareness of the broader flat earth research and debunking communities.

We are keeping a close eye on the mobile app and its HTTP API, and following future attempts to contact and notify those involved, we will also update the repo and this site with any further vulnerabilities we find.

Advice for Current Users

If you are a user of the app on either Android or iOS, we strongly recommend you

  1. Change your password! An earlier version of the app exposed passwords, and so you should consider your password compromised. If you use the same password for accounts in other apps or services, change your password there as well (and use different passwords for each app or service).
  2. Remove any personally-identifiable information from the app, including your phone number, date of birth, and anything else you would not want to be publicly known. This data is also currently exposed with few safeguards, and can be used against you in social engineering attacks to gain access to things like your bank account.
  3. Do not use the Friend Finder or any other location-based features. We would in fact recommend not using the app at all until the vulnerabilities are sufficiently addressed. In the case of the Friend Finder feature, the exact location of any user is provided with unnecessary accuracy, exposing your home address, place of work, etc. Even using the "approximate location" setting doesn't help, as the way it works can still be reversed to determine your exact location.

Tags: mobile apps, flat earth dave, dirth

← Back home