Data leak: 1.5 million private photos from dating apps for LGBTQ+ revealed

New privacy nightmare for users of dating apps: Several iOS apps distributed via the Apple Store, which are aimed at the LGBTQ+ community and lovers of sugar dating and BDSM, have leaked highly sensitive content on a large scale. A total of almost 1.5 million private user photos from the BDSM People, Chica, Translove, Pink and Brish apps have been compromised, reports the research team from the Lithuanian portal Cybernews. These included explicit images that users had sent to each other in private messages. This exposes those affected, who are dependent on increased protection of their privacy, to an increased risk of hostility, for example.

According to the report, the developer of the applications, the company M.A.D. Mobile Apps Developers, published information that should have been kept secret, such as keys for application programming interfaces (APIs), passwords or encryption keys, together with the source code of the apps. This is dangerous, as login information stored in client applications is accessible to everyone. Attackers could easily misuse them to gain access to systems. In this case, according to Cybernews, some of the leaked secrets granted access to user photos in storage buckets in the Google Cloud. These storage buckets were accessible without password protection.

According to the team, the publicly accessible photos included not only those from direct messages but also profile photos, public posts, profile verification images and photos removed due to rule violations. In the BDSM People app alone, 541,000 private images are said to have been visible, including 90,000 from messages that users sent to each other. The sugar daddy app Chica is said to have leaked 133,000 images, also partly from private chats. According to the researchers, the three other LGBTQ+ dating apps with the same architecture exposed over 1.1 million images. M.A.D. has not yet responded to a request for comment. The applications have download figures in the tens of thousands to hundreds of thousands.

M.A.D. is not an isolated case

Malicious actors often use highly sensitive leaked content for blackmail, social engineering and attempts to damage a person's professional reputation, the authors point out. Furthermore, those affected could be exposed to an increased risk of harassment. As homosexuality is illegal in some countries, the risk of app users being persecuted is greatest there. The treacherous memory buckets do not contain any specific identity data such as user names, emails or messages. Nevertheless, malicious actors could use openly available techniques such as reverse image search with biometric facial recognition to track down people behind the photos.

The researchers discovered the leak after a large-scale investigation. The team downloaded 156,000 iOS apps – around 8 percent of all applications in the Apple Store. They discovered that developers often leave hard-coded login information in the source code that is accessible to everyone: 71 percent of the apps analyzed revealed "at least one secret", with the code of an average app revealing 5.2 such "secrets". Stiftung Warentest criticized the often inadequate data protection of dating apps such as Tinder, Lovoo, Parship, Lesarion and Grindr some time ago. The operator of the latter platform has been fined millions in Norway for passing on personal information to third parties for targeted advertising.

(nen)