Dating apps exposed 1.5M private user pictures online. Say what!
What's the story
M.A.D Mobile, the company behind a number of niche dating platforms, stored nearly 1.5 million private user images online without password protection.
The affected platforms include BDSM People and Chica, along with LGBT services Pink, Brish, and Translove. These services serve an estimated user base of 800,000-900,000 people.
The images were discovered on an unprotected online storage space by ethical hacker Aras Nazarovas from Cybernews.
Breach details
Discovery of the security flaw
Nazarovas found the vulnerability by looking at the code powering these services. He was able to access unencrypted and unprotected photos without any password.
"The first app I investigated was BDSM People, and the first image in the folder was a naked man in his thirties," he said.
"As soon as I saw it, I realized that this folder should not have been public."
Security concerns
Sensitive content at risk of exploitation
The unprotected images were not just profile pictures but also privately sent photos and even those removed by moderators.
This poses a major risk to users, especially those living in countries where LGBT people are discriminated against.
Although the images weren't labeled with usernames or real names - making targeted attacks harder - there's still a possibility for malicious hackers to exploit this vulnerability.
Company statement
M.A.D Mobile's response to the breach
M.A.D Mobile was first alerted about this security flaw on January 20, but didn't take action until the BBC reached out.
The company has now fixed the issue but has not disclosed how it occurred or why they failed to secure sensitive images.
In response to Nazarovas's discovery, a spokesperson for M.A.D Mobile expressed gratitude for uncovering the vulnerability and preventing a potential data breach.