The situation was first flagged to M.A.D Mobile on January 20, but it wasn't until the BBC reached out that any action was taken. Ethical hacker Aras Nazarovas from Cybernews initially alerted the company about the vulnerability after uncovering the unencrypted storage of images. Shocked by the ease of access, he noted, “The first image I found was a naked man in his thirties," revealing the depth of the security issue.
In addition to profile pictures, the compromised material included explicit images shared privately and those removed by moderators. Nazarovas emphasized the substantial risks this presented, particularly for users in countries with hostile attitudes toward the LGBT community.
In a statement, M.A.D Mobile acknowledged the importance of the findings, expressing gratitude to Nazarovas for highlighting the vulnerability. They assured that steps had been taken to rectify the situation, although they did not provide a comprehensive explanation for the time taken to respond following initial warnings.
While private messages were not found to be stored in the same vulnerable manner, the specter of malicious hackers exploiting the available images loomed large. The app's name labels were not linked to user identities, potentially complicating targeted attacks, yet the threat remains significant.
Nazarovas and his team chose to publicize the vulnerability while it was still live due to concern over the app's inaction. "The public need to know to protect themselves," he stated, underscoring a crucial balance between security and transparency.
The incident echoes the infamous 2015 Ashley Madison hack where malicious actors leaked sensitive user data from a dating site tailored for extramarital affairs, raising enduring questions about user privacy in the digital age.
In addition to profile pictures, the compromised material included explicit images shared privately and those removed by moderators. Nazarovas emphasized the substantial risks this presented, particularly for users in countries with hostile attitudes toward the LGBT community.
In a statement, M.A.D Mobile acknowledged the importance of the findings, expressing gratitude to Nazarovas for highlighting the vulnerability. They assured that steps had been taken to rectify the situation, although they did not provide a comprehensive explanation for the time taken to respond following initial warnings.
While private messages were not found to be stored in the same vulnerable manner, the specter of malicious hackers exploiting the available images loomed large. The app's name labels were not linked to user identities, potentially complicating targeted attacks, yet the threat remains significant.
Nazarovas and his team chose to publicize the vulnerability while it was still live due to concern over the app's inaction. "The public need to know to protect themselves," he stated, underscoring a crucial balance between security and transparency.
The incident echoes the infamous 2015 Ashley Madison hack where malicious actors leaked sensitive user data from a dating site tailored for extramarital affairs, raising enduring questions about user privacy in the digital age.
