Updated Dating-slash-hook-up app Jack'd is exposing to the public internet intimate snaps privately swapped between its users, allowing miscreants to download countless X-rated selfies without permission.
The phone application, installed more than 110,000 times on Android devices and also available for iOS, lets primarily gay and bi men chat each other up, exchange private and public pics, and arrange to meet.
Those photos, public and private, can be accessed by anyone with a web browser and who knows just where to look, though, it appears. As there is no authentication, no need to sign up to the app, and no limits in place, miscreants can therefore download the entire image database for further havoc and potential blackmail.
You may well want to delete your images until this issue is fixed.
We're told the developers of the application were warned of the security vulnerability about a year ago, and yet no fix has been made. We've repeatedly tried to contact the programmers to no avail. In the interests of alerting Jack'd users to the fact their highly NSFW pictures are facing the public internet, we're publishing this story today, although we are withholding details of the flaw to discourage exploitation.
Researcher Oliver Hough, who said he found and reported the security shortcoming to the Jack'd team several months ago, demonstrated to The Register how the programming bug can be exploited. We were able to verify it is possible to access masses of public and private images without logging in nor installing the app.
The app should place strict access restrictions on which images should be viewable, so that if one user allows another user to see a sext pic, only the receiver should be allowed to see it. Instead, it is possible to see everyone's naked selfies, to be frank.
Fortunately, there appears to be no easy way to connect each of the images to specific individual profiles, although it may be possible to make educated guesses depending on how skilled the attacker is, Hough told us. The infosec bod has previously appeared on El Reg's pages, having found Rubrik and UrbanMassage customer info exposed online.
Obviously, having the private images of users accessible to the whole world is not an intended function of the app. Apart from leaking highly compromising snaps of folks, some of its users may not be publicly out as gay or bi, and thus a trove of compromising images of them sitting on the web is not particularly great for their welfare – particularly if homosexuality is illegal where they live.
Jack'd parent company Online Buddies did not respond to repeated requests for an explanation.
This wouldn't be the first time a dating site's security slip-up left the private details of its users blowing in the wind. Famously, in 2015 love-rat cyber-warren Ashley Madison was was relieved of the details and activity of millions of its users, which were duly leaked online by hackers.
More recently, dating app Grindr faced criticism after it was found to have been letting some of its analytics partners have access to the personal data, including HIV status, of a number customers. ®
Updated to add on February 7
And hey-presto, the vulnerability is now fixed, within four days of us privately prodding the Jack'd devs, and publicly reporting this story.
Sponsored: Webcast: Ransomware has gone nuclear