- Five kink and LGBT apps exposed sensitive user images
- The images were stored on a server without password protection
- The apps’ developer left the issue unfixed for months
Five dating apps exposed over 1.5 million private and explicit images after storing the images in cloud storage buckets without any password protection.
Cybersecurity researchers found the image servers of BDSM People, Chica, Pink, Brish and Translove to be highly vulnerable to hackers, putting between 800,000 and 900,000 people at risk of blackmail and extortion.
The five sites are all from developer M.A.D Mobile, who was notified of the exposed servers on January 20 but did not remediate the issue until March 28, after the cybersecurity researchers published a report on the exposed servers.
Explicit images exposed
Cybernews researcher Aras Nazarovas discovered the exposed private image servers while conducting analysis on the code that powers the BDSM People app.
“The first image in the folder was a naked man in his thirties. As soon as I saw it I realised that this folder should not have been public,” Nazarovas told the BBC.
On the servers, Nazarovas found several hundred gigabytes of photos, including images from profiles, images sent in direct messages, images that were supposedly removed from the app by moderators, photos from public posts, profile verification photos, and photos included in comments.
While the issue has now been remediated, there is no way of knowing how long the servers were exposed, or if Nazarovas was the only person to discover the trove of explicit images.
A M.A.D Mobile spokesperson said, “We appreciate their work and have already taken the necessary steps to address the issue. An additional update for the apps will be released on the App Store in the coming days.”
Outside of the risk of extortion posed by the unprotected cloud storage buckets, users of the apps in countries with hostile attitudes to LGBT peoples were also put at risk.
Dating apps and sites are lucrative targets for hackers due to the highly sensitive personally identifiable information they store. If hit by a ransomware attack, the attackers could not only extort the company for money, but also threaten individuals with the exposure of their data if they don’t pay a fee.
Leave a comment