Recent developments reveal major security oversight in several dating apps, compromising user privacy and safety
Kink and LGBT Dating Apps Expose Private User Images, Sparking Security Concerns
Kink and LGBT Dating Apps Expose Private User Images, Sparking Security Concerns
Nearly 1.5 million explicit photos laid bare, leaving users vulnerable to exploitation
In a major breach of user privacy, researchers have uncovered almost 1.5 million images from five dating apps specifically catered to kink and LGBTQ+ communities, with many explicit in nature, stored online without proper security measures. The exposed platforms, including Chica, BDSM People, Pink, Brish, and Translove, are operated by M.A.D Mobile, and are reportedly utilized by around 800,000 to 900,000 individuals.
The security vulnerability was initially flagged to M.A.D Mobile back on January 20, yet the firm only took action to remedy the situation after receiving inquiries from the BBC. Although the company has since rectified the flaw, it has not disclosed details on how the breach occurred or why it took significant time to address the critical security issues.
Ethical hacker Aras Nazarovas from Cybernews was the first to highlight the troubling security gap, having gained access to the unencrypted images through code analysis. "I was astonished that I could access these sensitive images without a password," Nazarovas exclaimed, emphasizing the potential for dangerous consequences. The unearthed images included not just user profile pictures but also private messages, and even images removed by moderators, posing a significant risk to user safety, especially for those residing in regions hostile to the LGBTQ+ community.
While M.A.D Mobile expressed gratitude towards Nazarovas for identifying the vulnerability, they made it clear that there's no assurance he was the only individual privy to this data. The company plans to roll out an additional update to the apps soon but has not addressed inquiries regarding its operational base or why the vulnerability was neglected for months despite multiple alerts.
In an unorthodox move, Nazarovas and his team chose to inform the public of the live vulnerability, driven by their apprehension about user safety. Differences in protocol usually prevent researchers from making vulnerabilities public while they are still exploitable; however, they believed it was imperative to notify users to safeguard themselves. This incident is drawing comparisons to the notorious 2015 Ashley Madison data breach, reminding users of the growing necessity to prioritize online security.
