At least three people warned Quittr, an app that wants to help men stop masturbating, about serious security issues for months, but the creators of the app didn’t fix them until weeks after 404 Media reached out for comment multiple times.
“I emailed the founders and explained the vulnerability. A developer responded, said he was ‘looking into ways to make our security better,’ and asked how I found it. I walked him through it step by step, even explained that the API key being client-sided is normal for Firebase and that they just needed to implement security rules,” an independent researcher who goes by Kaeden, said on her personal blog. “Then nothing. I followed up. No response. I followed up again. Nothing.”
I first wrote about Quittr’s security vulnerability in January after hearing about the app’s security problems from a different independent security researcher. At the time, I did not name the app because Quittr did not fix the issue despite reaching out to the developers about it multiple times. That security researcher found that Quittr had a misconfiguration issue in its use of the mobile development platform Google Firebase, which by default makes it easy for anyone to make themselves an “authenticated” user who can access the app’s backend storage where in many instances user data is stored.
That researcher originally contacted Quittr about the issue in September. Quittr’s founder, Alex Slater, acknowledged the issue, thanked the researcher, and said he would fix it in a matter of hours. When the researcher saw the issue still wasn’t fixed months later, they contacted 404 Media. I reached out to Slater and Quittr multiple times. Slater initially denied there was a security vulnerability, but then fixed the issue sometime before March 10. After this, I saw Quittr finally fixed the vulnerability and published another story naming the app.
Slater was also recently profiled in New York Magazine, which detailed the opulent lifestyle the success of Quittr has afforded them, including driving exotic super cars and living in a Miami mansion. Slater shares videos about his lifestyle on his personal YouTube channel as well.
Some of the data the researcher could access included users’ age, how often they said they watched porn, and written confessions about their porn watching habits. Many of the users self-identified as minors, according to the data.
In March, Kaeden provided me with emails showing he contacted Quittr about the same vulnerability on July 3, 2025.
“Your firebase (Database) is misconfigured its possible to read/write to anything, one of the things its possible to do for example is list all users and their info, which is pretty bad for an app of this nature,” Kaeden said in her email to Quitter. Kaeden also told Quittr exactly how to fix the issue and said that a bug bounty “would be highly appreciated” but she never received one.
A Quittr developer who identified as Caio emailed Kaeden asking for more information and thanked her for responsibly disclosing the issue. Kaeden provided that information, but never heard back.
Since publishing my story about Quittr in March, yet another independent security researcher, who asked to remain anonymous, contacted me to say they also notified Quittr about a similar vulnerability in August 2025. Altogether, three different security researchers told Quittr it was jeopardizing sensitive user data before 404 Media reached out to the app for comment about the issue not being fixed.
