Researchers have discovered nearly 1.5 million pictures from specialist dating apps – many of which are explicit – being stored online without password protection, leaving them vulnerable to hackers and extortionists.
Anyone with the link was able to view the private photos from five platforms developed by M.A.D Mobile: kink sites BDSM People and Chica, and LGBT apps Pink, Brish and Translove.
These services are used by an estimated 800,000 to 900,000 people.
M.A.D Mobile was first warned about the security flaw on 20 January but didn’t take action until the BBC emailed on Friday.
They have since fixed it but not said how it happened or why they failed to protect the sensitive images.
This is one of the photos that anyone could have accessed. We have cropped the face and blurred it to enhance privacy
Ethical hacker Aras Nazarovas from Cybernews first alerted the firm about the security hole after finding the location of the online storage used by the apps by analysing the code that powers the services.
He was shocked that he could access the unencrypted and unprotected photos without any password.
[…]
In an email M.A.D Mobile said it was grateful to the researcher for uncovering the vulnerability in the apps to prevent a data breach from occurring.
But there’s no guarantee that Mr Nazarovas was the only hacker to have found the image stash.
“We appreciate their work and have already taken the necessary steps to address the issue,” a M.A.D Mobile spokesperson said. “An additional update for the apps will be released on the App Store in the coming days.”
The company did not respond to further questions about where the company is based and why it took months to address the issue after multiple warnings from researchers.
Usually security researchers wait until a vulnerability is fixed before publishing an online report, in case it puts users at further risk of attack.
But Mr Nazarovas and his team decided to raise the alarm on Thursday while the issue was still live as they were concerned the company was not doing anything to fix it.
[…]
In 2015 malicious hackers stole a large amount of customer data about users of Ashley Madison, a dating website for married people who wish to cheat on their spouse.
