Kink and LGBT dating apps exposed 1.5m private user images online

Researchers have discovered nearly 1.5 million pictures from specialist dating apps – many of which are explicit – being stored online without password protection, leaving them vulnerable to hackers and extortionists.

Anyone with the link was able to view the private photos from five platforms developed by M.A.D Mobile: kink sites BDSM People and Chica, and LGBT apps Pink, Brish and Translove.

These services are used by an estimated 800,000 to 900,000 people.

M.A.D Mobile was first warned about the security flaw on 20 January but didn't take action until the BBC emailed on Friday.

They have since fixed it but not said how it happened or why they failed to protect the sensitive images.

Ethical hacker Aras Nazarovas from Cybernews first alerted the firm about the security hole after finding the location of the online storage used by the apps by analysing the code that powers the services.

He was shocked that he could access the unencrypted and unprotected photos without any password.

"The first app I investigated was BDSM People, and the first image in the folder was a naked man in his thirties," he said.

"As soon as I saw it I realised that this folder should not have been public."

The images were not limited to those from profiles, he said – they included pictures which had been sent privately in messages, and even some which had been removed by moderators.

Mr Nazarovas said the discovery of unprotected sensitive material comes with a significant risk for the platforms' users.

Malicious hackers could have found the images and extorted individuals.

There is also a risk to those who live in countries hostile to LGBT people.

None of the text content of private messages was found to be stored in this way and the images are not labelled with user names or real names, which would make crafting targeted attacks at users more complex.

In an email M.A.D Mobile said it was grateful to the researcher for uncovering the vulnerability in the apps to prevent a data breach from occurring.

But there's no guarantee that Mr Nazarovas was the only hacker to have found the image stash.

"We appreciate their work and have already taken the necessary steps to address the issue," a M.A.D Mobile spokesperson said. "An additional update for the apps will be released on the App Store in the coming days."

The company did not respond to further questions about where the company is based and why it took months to address the issue after multiple warnings from researchers.

Usually security researchers wait until a vulnerability is fixed before publishing an online report, in case it puts users at further risk of attack.

But Mr Nazarovas and his team decided to raise the alarm on Thursday while the issue was still live as they were concerned the company was not doing anything to fix it.

"It's always a difficult decision but we think the public need to know to protect themselves," he said.

In 2015 malicious hackers stole a large amount of customer data about users of Ashley Madison, a dating website for married people who wish to cheat on their spouse.