Skirt Club, a sex club "for girls who play with girls," required prospective members to upload "full body" photos with their applications; these photos were stored in world-readable folders with easily guessable names. When the site's owners were contacted about this, they promised action but did nothing for three weeks, and then made an incomplete job of it. They have not notified their users about the breach.

The site is offline as of this writing.

It took Stephan Urbach a minute to figure out which files had been configured wrongly and 45 minutes of research to find what code had to be written to fix the faulty htaccess file. Urbach and VICE passed that information on to the founder of Skirt Club, who thanked them for flagging it and said the issue should be considered resolved. It wasn't. Now, a few weeks and some messages back and forth later the issue is finally mostly fixed – at this point, the folders can't be opened and the image files can't be clicked anymore. But theoretically, a few files are still accessible without a password for people with intimate knowledge of the original security issue and the complete setup of the website's servers. Even though no one will access those files, it does show that the error in the code isn't fully resolved.

The security issues with Skirt Club's website didn't give access to credit card details or names with the images of users. But some photos do give away a lot about the identity of the person in the photo. If a user uploaded a picture on her Skirt Club profile she also uses on other websites linked to her name, she can be identified within a few clicks. In the files was a picture of a lawyer, for example, that led straight to the website of the firm she works for. And Skirt Club saved the original uploaded images, even if users cropped or edited them. We found the original file of the photo of a doctor who had cropped out her name tag on her lab coat.

A Sex Club for Bisexual Women Left Intimate Photos of Its Members Freely Accessible Online
[Wlada Kolosowa and Max Hoppenstedt/Vice]