Importance Score: 75 / 100 🔴
Cybersecurity researchers have issued an urgent warning as almost 1.5 million private photos from dating apps are exposed.
Affected apps include the kink dating sites BDSM People and CHICA, as well as LGBT dating services PINK, BRISH, and TRANSLOVE – all of which were developed by M.A.D Mobile.
The leaked files include photos used for verification, photos removed by app moderators, and photos sent in direct messages between users – many of which were explicit.
These sensitive snaps were being stored online without password protection, meaning anyone with the link could view and download them.
Researchers from Cybernews, who discovered the vulnerability, say this easily exploited security flaw put up to 900,000 users at risk of further hacks or extortion.
A spokesman for M.A.D Mobile told MailOnline they were ‘confident that none of the images were downloaded by malicious actors’ and that the issue has now been resolved.
However, the developer is still not entirely certain why such critically sensitive user information was left entirely unprotected.
M.A.D Mobile is ‘currently conducting an internal investigation’ but it believes the issue stemmed from ‘a simple human error’.
Cybersecurity experts have issued an urgent warning after almost 1.5 million private images from BDSM and LGBT dating apps were exposed online. Images like this (blurred to preserve privacy) were available to anyone with access to a publicly available link
The code of the app BDSM People (pictured) led to an unsecured storage location containing 1.6 million files and over 128GB of data. Among those files were 541,000 photos users had sent to each other or uploaded to the app, including a large number of explicit images
Ethical hacker Aras Nazarovas, who discovered the security vulnerability, told MailOnline he was ‘shocked’ that such obviously private messages were publicly accessible.
The apps’ publicly available code included what developers call ‘secrets’, things like passwords and encryption keys normally meant to remain hidden.
Surprisingly, these secrets also included the locations of unsecured online storage ‘buckets’ where over one million user photos were being held.
‘Developers of the app had disabled built-in security features such as requiring authentication to access images stored within, additionally, there were no access controls in place for users to only be able to access images that they uploaded or received via private messages,’ says Mr Nazarovas.
‘Because of this, an attacker would only need to know the name of the bucket, which was hardcoded in the app, to access these images.’
For example, the secret left in the code of the app BDSM People allowed access to a storage bucket with 1.6 million files and over 128GB of data.
Among those files were 541,000 photos users had sent to each other or uploaded to the app, including a large number of explicit images.
Mr Nazarovas says: ‘It is not surprising that dating apps may contain such messages especially ones sent in private messages between users – even more so when talking about apps specializing in “kinks”.
This image was sent from one BDSM People user to another in a private message. The storage location where it was discovered had no password and was not encrypted (image edited to preserve privacy)
The dating app CHICA specialises in connecting women with wealthy men and has been downloaded 80,000 times. The app’s code leaked almost 45GB of data, including 133,000 images of app users, some of which were shared privately in direct messages
‘However, my first reaction when I first investigated one of these apps was shock, as I wasn’t expecting to open a picture of a naked man.’
BDSM People alone has been downloaded over 200,000 times, indicating that a large number of people may have been affected.
Likewise, the app CHICA – Selective Luxy Dating, which specialises in connecting women with wealthy men, contained a link to a storage bucket containing 133,000 images of app users.
A number of apps catering to the LGBT community were also affected, including TRANSLOVE, PINK, and BRISH.
Collectively, these three apps left more than 1.1 million user pictures exposed.
Those included thousands of images which had been sent between users in private messages.
Although the images themselves do not contain any identifying information and are not linked to specific accounts, malicious actors could still uncover the individuals behind the images.
Mr Nazarovas says: ‘Sensitive NSFW [Not Safe for Work] images are often used for blackmail purposes, as well as attempts at discrediting people in professional fields.
A number of sites specialising in LGBT dating were also affected, including Translove, Pink, and Brish. Collectively these apps leaked over one million user photos
This image was sent in a private message on the Translove app and was publicly available online due to security flaws. Researchers warn that these kinds of images could be used for blackmail or extortion purposes
‘In cases of LGBTQ+ apps that were affected, some of the users may not be public about their sexuality, and images of this nature being accessed by unauthorized parties can cause strong emotional responses.’
In countries where homosexuality is illegal, there is a risk that exposed users could face prosecution as a result of their identification.
M.A.D Mobile maintains that a mass download of user data by a malicious actor would have been noticeable on their servers and that this was not detected.
Worryingly, Cybernews research shows that these kinds of security flaws may be shockingly common on the Apple App Store.
The researchers downloaded 156,000 iOS apps, about eight per cent of the App Store, and found that a vast majority had the same security issue.
Of the apps analysed, 7.1 per cent leaked at least one ‘secret’ with the average app exposing 5.2.