More than 1,500,000 photographs shared on LGBTQ+, fetish and sugar daddy dating apps have been ‘leaked’, researchers say.
Sensitive information, including passwords, was published in the code of five mobile dating apps.
This information, called ‘secrets’, can be used by hackers to crack open the Google Cloud Storage bucket where an app user’s photos are stored.
Researchers from the independent news outlet Cybernews found that this bucket was not password protected.
This meant the images inside, which included profile pictures, public posts, privately sent photos and even images used to verify a user’s identity, were publicly accessible to those who knew where to look.
The affected iOS apps – BDSM People, CHICA, TRANSLOVE, PINK, and BRISH – are all owned by MAD Mobile Apps Developers Limited, a London-based software company.
The lead researcher, Aras Nazarovas, told Metro that the team are not aware of any third parties accessing this information.
MAD has not yet commented.
Join Metro’s LGBTQ+ community on WhatsApp
With thousands of members from all over the world, our vibrant LGBTQ+ WhatsApp channel is a hub for all the latest news and important issues that face the LGBTQ+ community.
Simply click on this link, select ‘Join Chat’ and you’re in! Don’t forget to turn on notifications!
Why user photos were exposed is a simple one. MAD uses the same architecture for the five apps, Nazarovas, a junior information security researcher at Cybernews, told Metro.
‘The affected dating apps were developed in an insecure manner, storing all user-uploaded images in a public Google Cloud Storage bucket,’ he said.
‘This issue was left unnoticed until the Cybernews research team found these publicly accessible cloud storage buckets after scanning 156,000 iOS apps for sensitive information.’
Nazarovas said that the leaky storage bucket doesn’t mean scammers could access a person’s username, email or messages.
But they could track down a user’s identity by using OSINT, or open-source intelligence techniques, such as reverse image searching. Something especially troubling for LGBTQ+ users who may not be open about their identity.
‘Images accessed by bad actors could have been used for blackmail and intimidation,’ Nazarovas warned.
‘Finding out that these images were leaked would likely cause distress, trust issues, as well as other harm to the user’s mental health. Especially when approached with a blackmail demand.’
App developers, the team found, stored user secrets as ‘plaintext credentials’, a way of storing private info akin to writing down a password on a sticky note.
Among the apps was BDSM People, ‘a private app for those looking for something more than just a date’, its App Store description says.
The app is for people interested in bondage, discipline, dominance, submission and sadomasochism, or BDSM.
Yet the secrets tucked away in its application code allowed access to 1,600,000 files and 128GB of data, including 541,000 images.
CHICA, meanwhile, is an app for ‘sugar-dating’. This involves a ‘sugar baby’ connecting with a ‘sugar daddy’ in a relationship that offers financial support in exchange for companionship and possibly sex.
Researchers said CHICA’s code contained ways for people to access almost 45GB of data, including 133,000 images of app users.
Three apps tailored to LGBTQ+ people, TRANSLOVE, PINK and BRISH, were also vulnerable. Each of their buckets contained 142,000, 620,000 and 404,000 leaks, respectively.
PINK, a lesbian dating app, says its team verifies profiles and moderates the app to keep it ‘secure’.
But according to Cybernews, 45,000 blurred pictures, 43,000 pictures sent through chat, 1,000 pictures posted on comment sections, 12,000 images removed by moderators, 112,000 photos included in posts, 363,000 profile pictures and 44,000 photos used to verify profiles were all exposed.
‘The results of this investigation show that some apps can be incredibly insecure, exposing private user data to the open internet and leaving it completely unprotected,’ said Nazarovas.
‘While some other apps employ better cybersecurity practices, these apps are also not without dangers, as private information could be shared without permission by the person you’re chatting with.’
Nazarovas said that app developers and distributors alike need to do more to protect user data.
App stores, he suggested, could scan submitted apps for basic security issues and loopholes.
‘While it may not catch 100% of such vulnerabilities, it would significantly reduce such cases,’ Nazarovas added.
Get in touch with our news team by emailing us at webnews@metro.co.uk.
For more stories like this, check our news page.
MORE: ‘We’re young women with herpes — and we won’t be shamed’
MORE: Gay people are still facing ‘exorcisms’ to ‘cure them’ of their sexuality
MORE: Our families don’t approve of our relationship — secret phone sex keeps it alive
