Researchers have found nearly 1.5 million photos from specialized dating applications – many of which are explicit – are stored online without password protection, leaving them vulnerable to hackers and blackmail.
Anyone who has the connection has been able to review private photos from five platforms developed by Mad Mobile: Kink Sites BDSM People and Chica, and LGBT Apps Pink, BRISH and Translove.
These services are used from approximately 800,000 to 900,000 people.
Mad Mobile was warned for the first time of the deficiency of security on January 20, but did not take action until the BBC sends an email on Friday.
Since then, they have fixed it, but have not said how it happened or why they have not been able to protect the sensitive images.
Cybernews's ethical hacker first warned the security company company after finding the location of the online storage used by the applications by analyzing the code that power the services.
He was shocked that he could have access to unprotected and unsecured passwords without a password.
“The first app I investigated were the BDSM People. The first image in the folder was a naked man of his thirties,” he said.
“As soon as I saw it, I realized that this folder should not have been public.”
The images are not limited to those of profiles, he said – they include photos that have been sent private in messages, and even some that have been removed by moderators.
Nazarovas said the discovery of unprotected sensitive materials comes at a significant risk to users of platforms.
The malicious hackers could find the images and the blackmailed people.
There is also a risk for those who live in countries hostile to LGBT people.
None of the textual content of private messages has been found to be stored in this way and the images are not indicated by users or real names, which would make craft attacks on users more complicated.
In Mad Mobile, he said he was grateful to the researcher for revealing the vulnerability to applications to prevent data disturbance.
But there is no guarantee that Nazarovas was the only hacker to find the hiding place of the image.
“We appreciate their work and have already taken the necessary steps to deal with the problem,” said a spokesman for Mad Mobile. “Additional application update will be released to the App Store in the coming days.”
The company did not answer further questions about where the company was based and why it took months to deal with the problem after multiple warnings from researchers.
Usually, security researchers are waiting until the vulnerability is fixed before the publication of an online report is presenting users at a more risk risk of attack.
But the Nazarovas and his team decided to raise the alarm on Thursday, while the problem was still live as they worry that the company does nothing to fix it.
“This is always a difficult solution, but we think the public should know in order to defend itself,” he said.
In 2015, malicious hackers stole a large amount of client data for Ashley Madison users, a dating website for married people who want to cheat on their husband.