Enlarge / The Jack’d dating app allowed men to upload “private” photos–but stored them open to public viewing, the same as the rest.
Amazon Web Services’ Simple Storage Service powers countless numbers of web and mobile applications. Unfortunately, many of the developers who build those applications do not adequately secure their S3 data stores, leaving user data exposed—sometimes directly to web browsers. And while that may not be a privacy concern for some sorts of applications, it’s potentially dangerous when the data in question is “private” photos shared via a dating application.
Jack’d, a “gay dating and chat” application with over 1 million downloads from the Google Play store, has been leaving images posted by users and marked as “private” in chat sessions open to browsing on the Internet, potentially exposing the privacy of thousands of users. Photos were uploaded to an AWS S3 bucket accessible over an unsecured web connection, identified by a sequential number. By simply traversing the range of sequential values, it was possible to view all images uploaded by Jack’d users—public or private. Additionally, location data and other metadata about users was accessible via the application’s unsecured interfaces to backend data.
The result was that intimate, private images—including pictures of genitalia and photos that revealed information about users’ identity and location—were exposed to public view. Because the images were retrieved by the application over an insecure web connection, they could be intercepted by anyone monitoring network traffic, including officials in areas where homosexuality is illegal, homosexuals are persecuted, or by other malicious actors. And since location data and phone identifying data were also available, users of the application could be targeted