Recent investigations have revealed a disturbing security breach involving nearly 1.5 million explicit images stored without password protection on various dating apps. This shocking revelation raises significant concerns regarding user privacy and data security. The exposed images predominantly belong to users of five platforms developed by M.A.D Mobile, which include niche dating sites such as BDSM People and Chica, as well as LGBT apps like Pink, Brish, and Translove.
These dating services are estimated to cater to around 800,000 to 900,000 users, many of whom are now at risk. The security flaw was initially flagged to M.A.D Mobile on January 20th, but it wasn't until the BBC reached out that any action was taken. Although the company has since implemented a fix, they have not disclosed the cause of the breach or the reasons behind their delay in addressing the issue.
The security hole was uncovered by ethical hacker Aras Nazarovas from Cybernews, who was able to access the unencrypted photos merely by analyzing the code behind the apps. He expressed his shock at the ease with which he could view these sensitive images, stating, "As soon as I saw it, I realized that this folder should not have been public."
The images accessible in this unprotected storage were not limited to user profile pictures; they also included private messages and even photos that had been previously removed by moderators. Nazarovas highlighted the significant risks associated with the exposure of such sensitive material, particularly for users in countries that are hostile to LGBT individuals.
While the exposed images were not labeled with usernames or real names, making targeted attacks somewhat more complex, the potential for extortion remains a grave concern. Malicious hackers could exploit this vulnerability, putting users at risk of harassment or blackmail.
M.A.D Mobile has since acknowledged the vulnerability identified by Nazarovas, expressing gratitude for the discovery that helped avert a more significant data breach. A spokesperson stated, "We appreciate their work and have already taken the necessary steps to address the issue." However, they did not provide answers to additional inquiries regarding the company's location or the delays in securing the data.
Typically, security researchers wait until vulnerabilities are resolved before making public announcements to avoid further risks to users. However, Nazarovas and his team chose to alert the public while the issue was still unresolved, driven by concerns that M.A.D Mobile was not taking adequate action. "It's always a difficult decision, but we think the public needs to know to protect themselves," he stated.
This incident echoes past breaches, such as the notorious 2015 hack of Ashley Madison, which compromised sensitive user data. It serves as a stark reminder of the critical importance of robust security measures in safeguarding personal information, especially on platforms catering to vulnerable populations.