Improper Data Security Allowed Viewing of Private Messages from Gay Dating App
# of Records: Undetermined >>> User base of 1 Million
When it occurred: Open for over a year — Closed February 7, 2019
What Happened: Jack’d, a “gay dating and chat” application failed to adequately secure their S3 data stores leaving images posted by users and marked as “private” in chat sessions open to browsing on the Internet, potentially exposing the privacy of thousands of users.
How it Happened: Photos were uploaded to an AWS S3 bucket accessible over an unsecured Web connection, identified by a sequential number. By simply traversing the range of sequential values, it was possible to view all images uploaded by Jack’d users—public or private. Additionally, location data and other metadata about users were accessible via the application’s unsecured interfaces to backend data. The result was that intimate, private images—including pictures of genitalia and photos that revealed information about users’ identity and location—were exposed to public view.
Outcome: The bug is fixed in a February 7 update almost a year after the leak was first disclosed to the company and more than three months after Ars Technica contacted the company’s CEO, Mark Girolamo, about the issue. These delays although unfortunate, are hardly uncommon even when the fix is relatively straightforward pointing to an ongoing problem with the widespread neglect of basic security hygiene in mobile applications.