Jack’d Leak: Dating App 'Exposes Millions of Private Photos'

Discussion in 'Dating and Relationships' started by Nick Delmacy, Feb 11, 2019.

  1. Nick Delmacy

    Nick Delmacy is a Verified MemberNick Delmacy Da Architect
    Site Founder The 10000 Daps Club

    Joined:
    Jun 28, 2013
    Messages:
    3,480
    Daps Received:
    11,655
    Gender:
    Male
    Location:
    Atlanta
    Orientation:
    Gay
    Dating:
    Not looking
    [​IMG]

    We’ve had mixed feelings about the gay dating & hookup app, Jack’d, for many years on Cypher Avenue. But this latest news of a massive private photo leak, that lasted for up to a year, has surely sealed the deal for us.

    According to the BBC News and Ars Technica, a security flaw “has been leaving images posted by users and marked as “private” in chat sessions open to browsing on the Internet, potentially exposing the privacy of thousands of users.”

    Those who knew where to look for the leaked images could find them easily online, even if they did not have an account with the dating app.

    Personally, I haven’t used Jack’d in a couple years, but i did have a couple face pics in my private photo section. Although I’m not concerned about my face being associated with a gay dating app, I’ve since deleted them nonetheless.

    [​IMG]

    While the security flaw apparently seems to now be fixed, the fact that the error was caused by the developers themselves, not Russian hackers, should give users pause when uploading their private images in the future. It’s doubly disappointing Here’s the full story, from Ars Technica:

    Amazon Web Services’ Simple Storage Service powers countless numbers of Web and mobile applications. Unfortunately, many of the developers who build those applications do not adequately secure their S3 data stores, leaving user data exposed—sometimes directly to Web browsers. And while that may not be a privacy concern for some sorts of applications, it’s potentially dangerous when the data in question is “private” photos shared via a dating application.

    [​IMG]

    Jack’d, a “gay dating and chat” application with more than 1 million downloads from the Google Play store, has been leaving images posted by users and marked as “private” in chat sessions open to browsing on the Internet, potentially exposing the privacy of thousands of users. Photos were uploaded to an AWS S3 bucket accessible over an unsecured Web connection, identified by a sequential number. By simply traversing the range of sequential values, it was possible to view all images uploaded by Jack’d users—public or private. Additionally, location data and other metadata about users was accessible via the application’s unsecured interfaces to backend data.

    The result was that intimate, private images—including pictures of genitalia and photos that revealed information about users’ identity and location—were exposed to public view. Because the images were retrieved by the application over an insecure Web connection, they could be intercepted by anyone monitoring network traffic, including officials in areas where homosexuality is illegal, homosexuals are persecuted, or by other malicious actors. And since location data and phone identifying data were also available, users of the application could be targeted

    There’s reason to be concerned. Jack’d developer Online-Buddies Inc.‘s own marketing claims that Jack’d has over 5 million users worldwide on both iOS and Android and that it “consistently ranks among the top four gay social apps in both the App Store and Google Play.” The company, which launched in 2001 with the Manhunt online dating website—”a category leader in the dating space for over 15 years,” the company claims—markets Jack’d to advertisers as “the world’s largest, most culturally diverse gay dating app.”

    [​IMG]

    The bug was fixed in a February 7 update. But the fix comes a year after the leak was first disclosed to the company by security researcher Oliver Hough and more than three months after Ars Technica contacted the company’s CEO, Mark Girolamo, about the issue. Unfortunately, this sort of delay is hardly uncommon when it comes to security disclosures, even when the fix is relatively straightforward. And it points to an ongoing problem with the widespread neglect of basic security hygiene in mobile applications.

    Hough discovered the issues with Jack’d while looking at a collection of dating apps, running them through the Burp Suite Web security testing tool. “The app allows you to upload public and private photos, the private photos they claim are private until you ‘unlock’ them for someone to see,” Hough said. “The problem is that all uploaded photos end up in the same S3 (storage) bucket with a sequential number as the name.” The privacy of the image is apparently determined by a database used for the application—but the image bucket remains public.

    Hough set up an account and posted images marked as private. By looking at the Web requests generated by the app, Hough noticed that the image was associated with an HTTP request to an AWS S3 bucket associated with Manhunt. He then checked the image store and found the “private” image with his Web browser. Hough also found that by changing the sequential number associated with his image, he could essentially scroll through images uploaded in the same timeframe as his own.

    Hough’s “private” image, along with other images, remained publicly accessible as of February 6, 2018.

    [​IMG]

    There was also data leaked by the application’s API. The location data used by the app’s feature to find people nearby was accessible, as was device identifying data, hashed passwords and metadata about each user’s account. While much of this data wasn’t displayed in the application, it was visible in the API responses sent to the application whenever he viewed profiles.

    After searching for a security contact at Online-Buddies, Hough contacted Girolamo last summer, explaining the issue. Girolamo offered to talk over Skype, and then communications stopped after Hough gave him his contact information. After promised follow-ups failed to materialize, Hough contacted Ars in October.

    On October 24, 2018, Ars emailed and called Girolamo. He told us he’d look into it. After five days with no word back, we notified Girolamo that we were going to publish an article about the vulnerability—and he responded immediately. “Please don’t I am contacting my technical team right now,” he told Ars. “The key person is in Germany so I’m not sure I will hear back immediately.”

    [​IMG]

    Girolamo promised to share details about the situation by phone, but he then missed the interview call and went silent again—failing to return multiple emails and calls from Ars. Finally, on February 4, Ars sent emails warning that an article would be published—emails Girolamo responded to after being reached on his cell phone by Ars.

    Girolamo told Ars in the phone conversation that he had been told the issue was “not a privacy leak.” But when once again given the details, and after he read Ars’ emails, he pledged to address the issue immediately. On February 4, he responded to a follow-up email and said that the fix would be deployed on February 7. “You should [k]now that we did not ignore it—when I talked to engineering they said it would take 3 months and we are right on schedule,” he added.

    In the meantime, as we held the story until the issue had been resolved, The Register broke the story—holding back some of the technical details.

    Continue reading more technical details and reporting on security flaw disclosure for companies here: Indecent disclosure: Gay dating app left “private” images, data exposed to Web

    Read the whole post here.
     
    mojoreece dapped this.
  2. ControlledXaos

    Squad Veteran Most Valuable Player The 1000 Daps Club

    Age:
    43
    Joined:
    Aug 21, 2015
    Messages:
    2,448
    Daps Received:
    6,842
    Gender:
    Male
    Location:
    Atlanna
    And people wonder why I don't send nudes.
     
  3. Jai

    Jai I'm honing in on my inner freak.
    The 1000 Daps Club Supporter

    Joined:
    Oct 8, 2015
    Messages:
    842
    Daps Received:
    1,393
    Gender:
    Male
    Location:
    U.S.
    Orientation:
    Asexual
    Dating:
    Single
    Haven't used Jackd in a minute. Never had private photos. Ain't no way. I never had private face phots nor pics of me bent over with my ass spread for the world to see.. I did remember that a long time ago if someone had a private pic they just recently changed, if they visit your page and you check your recently visited list, you could see their picture. I remember seeing someone's meat and going to their page but their pictures were not public.
     
  4. ControlledXaos

    Squad Veteran Most Valuable Player The 1000 Daps Club

    Age:
    43
    Joined:
    Aug 21, 2015
    Messages:
    2,448
    Daps Received:
    6,842
    Gender:
    Male
    Location:
    Atlanna
    I mean if you live in an intolerant area it would be dangerous to be outed via an app. However I can say that Jackd not allowing screen shots helped but tech savvy people can get around that. I have a virtual android phone on my computer and I can screen shot anything in Windows.

    My private photos are of my face. But I am private on jackd but my face is clear on Grindr. Lol
     
    African King dapped this.
  5. African King

    Squad Veteran Most Valuable Player The 1000 Daps Club Supporter

    Age:
    29
    Joined:
    Aug 21, 2015
    Messages:
    1,552
    Daps Received:
    3,468
    Gender:
    Male
    Location:
    Atlanta, Georgia
    Orientation:
    Homosexual
    Dating:
    Single
    I just downloaded Jackd and Grindr on my phone. Just out of curiosity and maybe I may try something I have not done before in 2019.
     
  6. Infinite_loop

    Infinite_loop Is this thing on?
    Bae Material The 1000 Daps Club

    Joined:
    Sep 7, 2015
    Messages:
    747
    Daps Received:
    2,311
    Gender:
    Male
    Location:
    BK
    Orientation:
    SGL
    Dating:
    Single
    I was expecting this to happen at some point. Any picture uploaded to the internet should be considered public by default IMHO.
    Also, S3 buckets accidentally made public was the highlight of engineering fuckups in 2017-2018 majors incidents were the U.S Department of Defense(lol) and GoDaddy.
    Someone literally keeps a list on Github of the many companies that have "accidentally" made S3 data public nagwww/s3-leaks
    The problem with that particular AWS service is because it's a Swiss Army knife. it is essentially like Google Drive on steroids. which is both what's good and bad about it. For instance, you can host your blog, document or anything on there anything you want to be public. I keep my resumé on an S3 bucket and just share the link on my personal website for recruiters to see.

    On the other hand, we use it at my job to store encrypted secret data and other sensitive data. The problem? A few years ago, It was incredibly easy to make everything public
     
  7. Omega Level

    Omega Level DRACARYS
    The 1000 Daps Club

    Age:
    41
    Joined:
    Sep 9, 2015
    Messages:
    640
    Daps Received:
    1,577
    Gender:
    Male
    Location:
    New York
    Dating:
    Single
    The only surprise here is people still thinking anything is "private" on a fuckin app or anything online/internet for that matter. I mean seriously!

    Yes, companies having leaks and security breaching is messed up, blah, blah, blah.... If you are a stickler about not having your face, dick, or ass shown, then DONT TAKE A PIC OF IT.

    Once you post or share ANYTHING via text, online, app, etc. Its out there and may show up anywhere. Its pretty much that simple.
     
  8. Infinite_loop

    Infinite_loop Is this thing on?
    Bae Material The 1000 Daps Club

    Joined:
    Sep 7, 2015
    Messages:
    747
    Daps Received:
    2,311
    Gender:
    Male
    Location:
    BK
    Orientation:
    SGL
    Dating:
    Single
    I would argue that this should not be the case though. Companies have an obligation to hold their end of the bargain when it comes to protecting our data. We shouldn't accept the mishandling of our personal information as the status quo.

    This has to do with misplaced priorities (incompetence ) more than anything. Jack'd app developers didn't think it was a "big deal", but they've already gone through the trouble of creating an app and scaling it to millions of users(and in turn, promising those millions of users that their information is private and safe). it should have taken them a few extra weeks of effort and money to prevent something like what's described in the blog to happen.

    What should happen instead is for Apple and Google to require apps to have more extensive security audit before they are published on the app store(s) and for the government to come in and punish companies like Jack'd and Equifax for breaking the trust of their users.

    We should not accept mediocrity. If we pay money for a service or in case of free apps, our personal data is used for ads, then we should expect in return for our data to be handled with care.
     
    ControlledXaos and SB3 dapped this.
  9. SB3

    SB3 is a Featured MemberSB3
    Squad Veteran Most Valuable Player The 1000 Daps Club Supporter

    Age:
    36
    Joined:
    Aug 31, 2015
    Messages:
    3,493
    Daps Received:
    8,037
    Gender:
    Male
    Location:
    BK, NY
    I keep tellin yall to join me in making the warriorsforchrist app pop, but yall wanna keep playin w the jakd...
     
  10. ControlledXaos

    Squad Veteran Most Valuable Player The 1000 Daps Club

    Age:
    43
    Joined:
    Aug 21, 2015
    Messages:
    2,448
    Daps Received:
    6,842
    Gender:
    Male
    Location:
    Atlanna
    I agree @Infinite_loop These apps have paid tiers in addition to advertising dollars. A secure app should be paramount on their list of priorities.

    Can you imagine what would happen if their messages were released and put into a dump where people could search phone numbers and read the messages tied to those numbers? People would freak out.
     
  11. Jeremy Carter Powell

    Supporter

    Age:
    35
    Joined:
    Oct 8, 2015
    Messages:
    20
    Daps Received:
    62
    Gender:
    Male
    Location:
    Atlanta, GA
    Dating:
    Single
    I'm just mad nobody informed me. Dammit.
     
  12. over-it

    over-it Only the REAL

    Joined:
    Sep 11, 2015
    Messages:
    57
    Daps Received:
    55
    Gender:
    Male
    Location:
    ATL
    Dating:
    Single
    Faaaaaaaaaaacts
     
  13. over-it

    over-it Only the REAL

    Joined:
    Sep 11, 2015
    Messages:
    57
    Daps Received:
    55
    Gender:
    Male
    Location:
    ATL
    Dating:
    Single
    Faaaaaaaaaaacts bro
     
  14. over-it

    over-it Only the REAL

    Joined:
    Sep 11, 2015
    Messages:
    57
    Daps Received:
    55
    Gender:
    Male
    Location:
    ATL
    Dating:
    Single
  15. DFW Brutha

    The 100 Daps Club

    Age:
    38
    Joined:
    Dec 8, 2015
    Messages:
    285
    Daps Received:
    334
    Gender:
    Male
    Location:
    Dallas-Fort Worth
    Dating:
    Single
    50% of the pics are recycled fakes

    [​IMG]
     
    SB3 dapped this.
Loading...
Similar Threads - Jack’d Leak Dating Forum Date
Went On Jack’d To Get Laid...Instead I Got Recognized Dating and Relationships Sep 23, 2016
Atlanta police bust man in violent Jack’d robberies Dating and Relationships Nov 19, 2015
Data Leak in Singapore Exposes HIV Status of 14,000 Locals and Foreign Visitors LGBT News and Events Jan 28, 2019
Anti-Gay Televangelist caught admitting that he slept with a man in leaked recording LGBT News and Events Jan 22, 2019
Leaked Meeting Audio Proves NFL Owners Worried About Appeasing White Fans Race, Religion, Science and Politics Apr 25, 2018

Share This Page

Loading...