Massive privacy breach in niche dating apps exposes sensitive user photos
As part of a large-scale investigation of security lapses in iOS apps, Cybernews has discovered glaring issues that may have resulted in a massive leak of private photos from a number of niche dating apps, all from one M.A.D. Mobile. These images were from not just public profiles and posts but also from user chats, and even included those removed by moderators. Needless to say, many of these photos were explicit in nature.
Five apps from M.A.D. Mobile were affected – BDSM People, luxury 'sugar dating' app Chica, and LGBT apps Pink, Brish and Translovefound. All these apps were not only using an identical architecture, but had left critical security credentials as plaintext openly in the app code. It was these secret keys that led the researchers to the Google Cloud Storage buckets where the photos lay without any kind of encryption or password protection. This meant anyone with the URL—which was publicly exposed—could have accessed the media.
Of course, any time private photos are potentially exposed to malicious actors, there’s the risk of harassment, extortion and damage to reputation. However, the consequences of a privacy breach would likely be much worse for users of specialist dating apps, especially with homosexuality being illegal in many countries.
The scale of the leak is staggering—over 1.5 million user-uploaded photos, or several hundred gigabytes of data. It's a small mercy that the exposed data did not contain user identities, usernames, emails or messages, but a simple reverse image search could easily work around that. Notably, all five apps are iOS exclusive, with no Android or web versions.
The researchers at Cybernews first reached out to M.A.D. Mobile in January, but the leak remained unaddressed. Fearing continued inaction on the company’s part, and against its own standard practice, Cybernews decided to publish a report of the issue before it was fixed. It was only after the BBC emailed the firm that a representative responded saying that it was indeed fixed, while thanking the researchers for their help.
This incident only highlights what many in the cybersecurity domain already know: third party iOS apps are by no means inherently secure against data breaches. In fact, Cybernews' investigation yielded a disconcerting insight. Out of 156,000 apps that were examined (or 8% of all apps on the Apple Store), 71% apps were found to be exposing at least one secret. The average app's code exposed 5.2 secrets.
The biggest takeaway from this incident is that users should avoid using apps from unfamiliar publishers altogether, especially when highly sensitive information is involved. Specifically, sensitive media should only be shared on encrypted platforms and services that offer not only some degree of protection, but also public accountability.
