Researchers discovered a major vulnerability in five dating apps—Chica, BDSM People, Pink, Brish, and Translove—leading to nearly 1.5 million private user images being exposed online. Despite identifying the flaw months earlier, the company failed to address the issue promptly, leaving users at risk of potential hacking and extortion.
Security Breach Exposes 1.5 Million Private Images from Kink and LGBT Dating Apps
Security Breach Exposes 1.5 Million Private Images from Kink and LGBT Dating Apps
A significant security flaw in dating apps has left 1.5 million user images, many explicit, unprotected online, raising concerns for user privacy and safety.
Researchers have uncovered a severe security vulnerability affecting a range of dating apps tailored for kink and LGBT communities, resulting in the exposure of approximately 1.5 million user images online. The apps involved, created by M.A.D Mobile, include BDSM People and Chica, alongside LGBT platforms Pink, Brish, and Translove. The implications of this breach are particularly concerning, as many of these images are explicit in nature.
The dating apps reportedly serve between 800,000 to 900,000 users, many of whom now face potential risks associated with their private images being publicly accessible. The loophole was first flagged to M.A.D Mobile on January 20, but no immediate action was taken. The issue became widely known after BBC's inquiry prompted the company to rectify the situation, although specific reasons behind the initial inaction remain unclear.
Ethical hacker Aras Nazarovas, who alerted the firm, revealed that the storage folder containing the images was easily accessible without any encryption or password protection. Upon investigating Baptism People, he stumbled upon numerous explicit images, underlining the severity of the risk for users, particularly in regions where LGBT individuals face persecution.
In response to the incident, M.A.D Mobile expressed gratitude to the researcher for identifying the flaw, stating it had taken appropriate measures to secure the data. However, the spokesperson did not clarify why it took several months to address the issue following multiple warnings.
Notably, while no user names or real identities were attached to the exposed images, analysts emphasize that the risk of targeted attacks still looms, especially for users residing in countries that are hostile toward LGBT communities. M.A.D Mobile plans to release additional updates for the apps on the App Store shortly to enhance user security.
In an unusual move, Nazarovas and his team chose to publish their findings while the vulnerability was still present, driven by concern over the lack of action from the company. The decision to go public highlights the importance of swiftly reporting security flaws to protect users—a stance reminiscent of the fallout from the 2015 Ashley Madison data breach, which exposed sensitive client information and led to widespread repercussions.
