Dating and chat app, Jack’d, has been leaving images posted by users and marked as private in chat sessions exposed online, potentially revealing the users’ intimate images and sexuality to the public.
According to Ars Technica, the private and public photos were uploaded to an AWS S3 bucket, which is accessible over an unsecured Web connection, identified by a sequential number.
“By simply traversing the range of sequential values, it was possible to view all images uploaded by Jack’d users – public or private. Additionally, location data and other metadata about users was accessible via the application’s unsecured interfaces to backend data,” the publication wrote.
Anyone monitoring the network traffic, including officials in areas where homosexuality is illegal, are able to see this data, thus putting the exposed users at risk of persecution.
Researcher Oliver Hough, who discovered the flaw, said that he informed the company of the risk a year ago but it was not fixed. Hough was able to demonstrate the security gap to The Register, which then verified the problem and confirmed that it was possible to access large volumes of public and private images without logging in or installing the app.
“The app allows you to upload public and private photos, the private photos they claim are private until you ‘unlock’ them for someone to see,” Hough explained. “The problem is that all uploaded photos end up in the same S3 (storage) bucket with a sequential number as the name.”
Earlier this week, Jack’d chief executive Mark Girolamo informed Ars Technica that the issue would be resolved by today (Thursday 7th of February). However, the flaw remains unfixed and the company has yet to provide an explanation.
Commenting on the incident, Philip Baldwin, LGBT and HIV campaigner, told DIGIT: “What is particularly saddening is that Jack’d were aware of the flaw for a significant period of time and did not fix it or warn users. Every LGBT person has their own journey with ‘coming out’.
“It took me a number of years to come out to my friends, parents and employer. This leak means that many gay and bi men may be cruelly ‘outed’ and, in countries where it is illegal to be gay, could face persecution from state authorities and even violence.”
Previously, other dating and hook-up websites, such as Ashley Madison and Grindr, have faced similar scandals, in which users were exposed online. The infamous Ashley Madison breach revealed the extramarital affairs of its users, while Grindr exposed its users’ HIV status to third parties.