- This vulnerability lets attackers download intimate photos of users registered in the dating app.
- Jack’d is a location-based chat and dating app for gay and bisexual men, which is available on Android and iOS platforms.
Dating app Jack’d has been found containing an authentication flaw which allows attackers to download private photos of its users. It appears that anyone can look up and download photos from a web browser without logging or registering on their site. This can allow attackers to stack entire image databases and use it for extortion or other malicious purposes.
Even after The Register informed the app developers of this issue three months ago, there has been no update regarding a security patch. The flaw was first discovered by security researcher Oliver Hough. He came across a programming error in the application that led to this vulnerability. Instead of allowing images that should only be viewed by Jack’d users, the bug is the reason anyone can view them without a login.
Further technical details of the vulnerability have not been disclosed as of now to prevent any exploitation.
“Fortunately, there appears to be no easy way to connect each of the images to specific individual profiles, although it may be possible to make educated guesses depending on how skilled the attacker is,” Hough told The Register.
Jack’d’s parent company, Online Buddies, has also shied away on responding to this issue, which could potentially lead to breach incidents.
Lately, dating apps have been found with vulnerabilities making it a lucrative choice for attackers. Last year, another app called Grindr was under scrutiny for sharing personal, sensitive data with its analytics partners.