Over 1.5 million private photos from users on niche dating apps were exposed to hackers in what appears to be the largest such data leak since the infamous Ashley Madison cybersecurity incident in 2015.
Security researchers from Cybernews found an online storage of users’ private photos from five dating apps, namely: BDSM People, Chica, Pink, Brish, and Translove. All the affected platforms are exclusively iOS apps with an estimated total of 8,00,000 to 9,00,000 users. They have been developed by M.A.D Mobile Apps Developers.
Three of the five apps impacted by the data security incident are online platforms that are reportedly used widely within the LGBTQ+ community. Most of the user photos that were part of the exposed dataset were sexually explicit in nature, as per the researchers.
The incident poses a grave risk of hackers gaining access to the exposed photos and extorting users. “For example, threat actors can deploy scrapers or monitoring scripts to access new data in real-time, allowing them to execute extortion and social engineering attacks with extreme precision,” Cybernews said in a blog post.
It could also be potentially life-threatening to users on the affected LGBTQ+ dating apps, especially if they live in countries that are hostile towards the community.
How was the data exposed?
The security researchers said that they downloaded and analysed nearly 1,56,000 iOS apps. They found that several app developers were leaving plaintext credentials in the application code accessible to anyone.
As part of their analysis, the researcher further found that 71 per cent of the analysed apps leak at least one secret, with an average app’s code exposing 5.2 secrets. Here, the term ‘secret’ refers to sensitive information such as API keys, passwords, or encryption keys.
Story continues below this ad
BDSM People, CHICA, TRANSLOVE, PINK, and BRISH dating apps had publicly accessible secrets published together with the apps’ code. Since they were all built by the same developer, the five affected dating apps have identical architecture which resulted in the same type of sensitive data being exposed, researchers said.
By analysing the apps’ code, researchers were able to find the storage location of the user photos that were surprisingly not encrypted or password-protected. “The first app I investigated was BDSM People, and the first image in the folder was a naked man in his thirties. As soon as I saw it I realised that this folder should not have been public,” Aras Nazarovas, an ethical hacker at Cybernews, was quoted as saying by BBC.
What was exposed and what wasn’t
The researchers claimed that the exposed storage bucket containing users’ profile photos, public posts, and private photos sent through direct messages were left publicly accessible to anyone.
Profile verification images and photos removed by the apps’ moderators for rule violations were also part of the tranche of exposed data. However, private texts between users were not found to be part of the exposed dataset. The private photos were also not attached to any user names.
Story continues below this ad
However, Cybernews researchers warned that this does not minimise the risk of being hacked or extorted as malicious actors can still find out the name of a user in an exposed photo through techniques such as reverse image search.
How did MAD Mobile respond?
Without elaborating on the lapse in app security, MAD Mobile said that the issue has now been fixed. “We apologize to our users for any concern caused by the article and hope other developers will take this issue seriously,” a company spokesperson was quoted as saying.
“Even though no real data leak occurred, this does not absolve us of responsibility. On the contrary, it has motivated us to strengthen our security measures further,” the spokesperson further said.
In a statement to BBC, a MAD Mobile spokesperson said that an additional update for the apps will be released on the App Store in the coming days.