Researchers have discovered nearly 1.5 million pictures from specialist dating apps – many of which are explicit – being stored online without password protection, leaving them vulnerable to hackers and extortionists. Anyone with the link was able to view the private photos from five platforms developed by M.A.D Mobile: kink sites BDSM People and Chica, and LGBT apps Pink, Brish and Translove. These services are used by an estimated 800,000 to 900,000 people. M.A.D Mobile was first warned about the security flaw on 20 January but didn't take action until the BBC emailed on Friday. They have since fixed it but not said how it happened or why they failed to protect the sensitive images. Ethical hacker Aras Nazarovas from Cybernews first alerted the firm about the security hole after finding the location of the online storage used by the apps by analysing the code that powers the services. He was shocked that he could access the unencrypted and unprotected photos without any password. "The first app I investigated was BDSM People, and the first image in the folder was a naked man in his thirties," he said. "As soon as I saw it I realised that this folder should not have been public." The images were not limited to those from profiles, he said – they included pictures which had been sent privately in messages, and even some which had been removed by moderators. Mr Nazarovas said the discovery of unprotected sensitive material comes with a significant risk for the platforms' users. Malicious hackers could have found the images and extorted individuals. There is also a risk to those who live in countries hostile to LGBT people. None of the text content of private messages was found to be stored in this way and the images are not labelled with user names or real names, which would make crafting targeted attacks at users more complex. In an email M.A.D Mobile said it was grateful to the researcher for uncovering the vulnerability in the apps to prevent a data breach from occurring. But there's no guarantee that Mr Nazarovas was the only hacker to have found the image stash. "We appreciate their work and have already taken the necessary steps to address the issue," a M.A.D Mobile spokesperson said. "An additional update for the apps will be released on the App Store in the coming days." The company did not respond to further questions about where the company is based and why it took months to address the issue after multiple warnings from researchers. Usually security researchers wait until a vulnerability is fixed beforepublishing an online report, in case it puts users at further risk of attack. But Mr Nazarovas and his team decided to raise the alarm on Thursday while the issue was still live as they were concerned the company was not doing anything to fix it. "It's always a difficult decision but we think the public need to know to protect themselves," he said. In 2015 malicious hackers stole a large amount of customer data about users of Ashley Madison, a dating website for married people who wish to cheat on their spouse.
Kink and LGBT dating apps exposed 1.5m private user images online
TruthLens AI Suggested Headline:
"Security Breach Exposes 1.5 Million Private Images from Kink and LGBT Dating Apps"
Bbc News
7.6
TruthLens AI Summary
A significant security breach has been uncovered involving nearly 1.5 million private images from various dating apps catering to the kink and LGBT communities. The images, many of which are explicit, were found to be stored online without any password protection, exposing them to potential hackers and extortionists. The affected platforms, developed by M.A.D Mobile, include BDSM People, Chica, Pink, Brish, and Translove, which collectively serve an estimated user base of 800,000 to 900,000 individuals. Ethical hacker Aras Nazarovas from Cybernews first identified the vulnerability and alerted the company after discovering that he could access the unencrypted photos simply by analyzing the code behind the applications. Nazarovas expressed his shock at being able to view such sensitive material without any security measures in place, noting that the images included not only profile pictures but also private messages and even content that had been removed by moderators.
In response to the discovery, M.A.D Mobile acknowledged the issue and indicated that they are grateful to the researcher for bringing the vulnerability to their attention. They have since rectified the situation, but they have not disclosed how the breach occurred or why it took them several months to respond after being warned about the flaw. The company stated that an update will be released soon to address the issue further. Although the images were not directly linked to user identities, the potential for malicious actors to exploit this data poses a serious risk, particularly for users living in countries where LGBT individuals face discrimination or hostility. Ethical hacker Nazarovas and his team made the decision to publicly disclose the vulnerability while it was still active, highlighting the importance of user safety and the need for immediate action in the face of such threats. This incident echoes previous data breaches in the dating industry, such as the 2015 Ashley Madison hack, raising concerns about the security of sensitive information in similar platforms.
TruthLens AI Analysis
Analysis failed for 'Kink and LGBT dating apps exposed 1.5m private user images online' due to an error: Error code: 429 - {'error': {'message': 'You exceeded your current quota, please check your plan and billing details. For more information on this error, read the docs: https://platform.openai.com/docs/guides/error-codes/api-errors.', 'type': 'insufficient_quota', 'param': None, 'code': 'insufficient_quota'}}