A security flaw in the popular gay dating app, Jack’d, has leaked several intimate photos on the internet.
Those images, whether they’re public or private, can be viewed by anyone with a web browser, even if they don’t have a Jack’d account, according to a BBC report.
Jack’d failed to respond to a request for comment when approached by the BBC.
The flaw was initially reported by The Register on Tuesday (Feb.5th).
The dating app, which lets users’ upload and share private images of themselves onto their profile, has been downloaded more than five million times on the Google Play app.
However, Oliver Hough, a researcher who first discovered the flaw three months ago, said all the photos were uploaded to the same open web server.
“The app allows you to upload public and private photos, the private photos they claim are private until you ‘unlock’ them for someone to see,” Hough explained. “The problem is that all uploaded photos end up in the same S3 (storage) bucket with a sequential number as the name.”
And according to the news website, Ars Technica, the app also exposed users’ location data and other information that could potentially reveal an individual’s identity to the public.
Flaw remains unfixed
Following their findings, Mark Girolamo, CEO of Jack’d, told Ars Technica that the issue would be resolved by Thursday (Feb.7th).
However, the flaw remains unfixed and the company is yet to issue to release a statement about how they plan to resolve the problem.
“They acknowledged my report but then just went silent and did nothing,” Mr. Hough told BBC News.
“A journalist contacted them in November and they did the same.”