The bug is fixed in a February 7 update. But the fix comes a year after the leak was first disclosed to the company by security researcher Oliver Hough and more than three months after Ars Technica contacted the company's CEO, Mark Girolamo, about the issue.
Unfortunately, this sort of delay is hardly uncommon when it comes to security disclosures, even when the fix is relatively straightforward. And it points to an ongoing problem with the widespread neglect of basic security hygiene in mobile applications.
Post Digital Network
Read the rules you agree to by using this website in our Terms of Service.
The Dark Side of Gay Dating Apps
Our forum rules are detailed in the Community Guidelines. Boing Boing is published under a Creative Commons license except where otherwise noted. By simply traversing the range of sequential values, it was possible to view all images uploaded by Jack'd users—public or private.
Additionally, location data and other metadata about users was accessible via the application's unsecured interfaces to backend data. The result was that intimate, private images—including pictures of genitalia and photos that revealed information about users' identity and location—were exposed to public view.
Because the images were retrieved by the application over an insecure Web connection, they could be intercepted by anyone monitoring network traffic, including officials in areas where homosexuality is illegal, homosexuals are persecuted, or by other malicious actors. And since location data and phone identifying data were also available, users of the application could be targeted.
There's reason to be concerned.
Scruff gay dating app bans underwear photos - BBC News
Jack'd developer Online-Buddies Inc. The bug is fixed in a February 7 update. But the fix comes a year after the leak was first disclosed to the company by security researcher Oliver Hough and more than three months after Ars Technica contacted the company's CEO, Mark Girolamo, about the issue. Unfortunately, this sort of delay is hardly uncommon when it comes to security disclosures, even when the fix is relatively straightforward. And it points to an ongoing problem with the widespread neglect of basic security hygiene in mobile applications.
- best gay dating app in india quora.
- Trending News: Google Play Ban Removes Underwear Photos From Scruff Dating App.
- Here Are The World's Most Popular Dating Apps For Gay Dudes.
- gay dating perth scotland?
Hough discovered the issues with Jack'd while looking at a collection of dating apps, running them through the Burp Suite Web security testing tool. Hough set up an account and posted images marked as private. He then checked the image store and found the "private" image with his Web browser. Hough also found that by changing the sequential number associated with his image, he could essentially scroll through images uploaded in the same timeframe as his own.
Hough's "private" image, along with other images, remained publicly accessible as of February 6, There was also data leaked by the application's API. The location data used by the app's feature to find people nearby was accessible, as was device identifying data, hashed passwords and metadata about each user's account.
While much of this data wasn't displayed in the application, it was visible in the API responses sent to the application whenever he viewed profiles. After searching for a security contact at Online-Buddies, Hough contacted Girolamo last summer, explaining the issue. Girolamo offered to talk over Skype, and then communications stopped after Hough gave him his contact information.
After promised follow-ups failed to materialize, Hough contacted Ars in October. On October 24, , Ars emailed and called Girolamo. He told us he'd look into it.