The gay dating app Jack'd, which has more than a million downloads in the Play store, stored images that users marked 'private' and posted in 1:1 chat sessions *on an unsecured AWS server.*
The site is HTTP-accessible.
Ars Technica first posted the story, and confirmed after publication, with testing, that the private image leak in Jack'd has been closed.
"A full check of the new app is still in progress."
Jack'd, a "gay dating and chat" application with more than 1 million downloads from the Google Play store, has been leaving images posted by users and marked as "private" in chat sessions open to browsing on the Internet, potentially exposing the privacy of thousands of users. Photos were uploaded to an AWS S3 bucket accessible over an unsecured Web connection, identified by a sequential number. By simply traversing the range of sequential values, it was possible to view all images uploaded by Jack'd users—public or private. Additionally, location data and other metadata about users was accessible via the application's unsecured interfaces to backend data.
The result was that intimate, private images—including pictures of genitalia and photos that revealed information about users' identity and location—were exposed to public view. Because the images were retrieved by the application over an insecure Web connection, they could be intercepted by anyone monitoring network traffic, including officials in areas where homosexuality is illegal, homosexuals are persecuted, or by other malicious actors. And since location data and phone identifying data were also available, users of the application could be targeted
There's reason to be concerned. Jack'd developer Online-Buddies Inc.'s own marketing claims that Jack'd has over 5 million users worldwide on both iOS and Android and that it "consistently ranks among the top four gay social apps in both the App Store and Google Play." The company, which launched in 2001 with the Manhunt online dating website—"a category leader in the dating space for over 15 years," the company claims—markets Jack'd to advertisers as "the world's largest, most culturally diverse gay dating app."
The bug is fixed in a February 7 update. But the fix comes a year after the leak was first disclosed to the company by security researcher Oliver Hough and more than three months after Ars Technica contacted the company's CEO, Mark Girolamo, about the issue. Unfortunately, this sort of delay is hardly uncommon when it comes to security disclosures, even when the fix is relatively straightforward. And it points to an ongoing problem with the widespread neglect of basic security hygiene in mobile applications.