Kink and LGBT dating apps exposed 1.5m private user images online

A serious security issue has come to light involving several dating apps that cater to specific communities, including those interested in kink and LGBT dating. Researchers have uncovered that nearly 1. 5 million private images from these apps were stored online without any password protection, making them accessible to anyone with the link. This alarming discovery raises significant concerns about user privacy and safety, especially since many of these images are explicit in nature. The dating apps affected include Chica, BDSM People, Pink, Brish, and Translove, which collectively serve an estimated 800,000 to 900,000 users. M. A. D Mobile, the company behind these apps, was first alerted to the security flaw on January 20, but they did not take immediate action to rectify the situation until the BBC reached out to them. Although the company has since addressed the issue, they have not provided any details on how the breach occurred or why they failed to secure the sensitive images in the first place. The ethical hacker who discovered this vulnerability, Aras Nazarovas from Cybernews, was shocked to find that he could access unprotected photos without needing a password. He began his investigation with the BDSM People app and was taken aback when the first image he encountered was of a naked man in his thirties. Nazarovas quickly realized that the folder containing these images should not have been publicly accessible. The images in question were not limited to profile pictures; they also included private messages and even some images that had been removed by moderators. This lack of security poses a significant risk to users of these platforms. Malicious hackers could exploit this vulnerability to extort individuals, and there is an added danger for users residing in countries that are hostile towards LGBT individuals. Fortunately, the text content of private messages was not found to be stored in the same manner, and the images were not labeled with usernames or real names, which complicates the process of targeting specific users. In a statement, M. A. D Mobile expressed gratitude to the researcher for identifying the vulnerability and helping to prevent a potential data breach. However, there is no assurance that Nazarovas was the only hacker who discovered the unprotected images. A spokesperson for M. A. D Mobile stated, 'We appreciate their work and have already taken the necessary steps to address the issue. ' They also mentioned that an additional update for the apps would be released on the App Store soon. The company did not respond to further inquiries regarding their location or the delay in addressing the issue despite multiple warnings from researchers. Typically, security researchers wait until a vulnerability is resolved before making a public announcement to avoid putting users at further risk. However, Nazarovas and his team chose to raise the alarm while the issue was still active, as they were concerned that the company was not taking appropriate action to fix it. Nazarovas stated, 'It's always a difficult decision, but we think the public needs to know to protect themselves. ' This incident serves as a reminder of the importance of security in the digital age, especially for platforms that handle sensitive personal information. In 2015, a similar situation occurred when hackers stole a large amount of customer data from Ashley Madison, a dating website for married individuals seeking extramarital affairs. The implications of such breaches can be severe, affecting not only the individuals involved but also the reputation of the companies that fail to protect their users' data.