Researchers have discovered nearly 1.5 million pictures from specialist dating apps, many of which contain explicit content, being stored online without password protection. This vulnerability makes the images susceptible to hackers and extortionists. The private photos from five platforms developed by M.A.D Mobile, including BDSM People, Chica, Pink, Brish, and Translove, were accessible to anyone with the link. These platforms have an estimated 800,000 to 900,000 users.

Cybersecurity expert Aras Nazarovas from Cybernews discovered the security flaw by analyzing the code of the apps and found that unencrypted and unprotected photos were accessible without any password. Nazarovas emphasized that the first image he found was of a naked man, indicating that the folder should not have been public. The images were not limited to public profiles and included pictures that had been sent privately in messages, as well as some that had been removed by moderators.

Nazarovas highlighted the significant risk the discovery poses to the platforms’ users. Malicious hackers could have accessed the images and used them for extortion. There is also a particular risk for individuals living in countries hostile to the LGBT community. While the text content of private messages was not stored in the same way, and the images did not display usernames or real names, Nazarovas acknowledged that targeted attacks on users could have been more complex.

M.A.D Mobile was first informed about the security flaw on January 20th but did not take immediate action. It was only after the BBC contacted them on Friday that they fixed the issue. However, the company has not disclosed how the vulnerability occurred or why they failed to protect the sensitive images.

The company expressed gratitude to Nazarovas for bringing the vulnerability to their attention and stated that they have already taken necessary steps to address the issue. They also mentioned that an additional update for the apps will be released on the App Store in the coming days. However, they did not respond to further questions about their company’s location and why it took them months to address the issue after receiving multiple warnings from researchers.

Typically, security researchers wait until vulnerabilities are fixed before publishing their findings to avoid putting users at further risk of attack. However, Nazarovas and his team decided to raise the alarm publicly while the issue was still ongoing, as they believed the public needed to be aware of the problem to protect themselves.

In 2015, malicious hackers stole customer data from the dating website Ashley Madison, which caters to married individuals seeking extramarital affairs. The stolen data exposed users’ private information.

Source: https://www.bbc.com/news/articles/c05m5m5v327o