The Register has reportedly exposed a major security flaw on the dating-slash-hook-up app Jack’d that allows private photos, videos, and chats privately shared between users on the app are available to be viewed by anyone online.
The news outlet also notes that these intimate photos can be “accessed by anyone with a web browser” and as “there is no authentication, no need to sign up to the app, and no limits in place, miscreants can therefore download the entire image database for further havoc and potential blackmail.”
The Register reports that the security breach was first discovered by researcher Oliver Hough, who says he reported it to Jack’d three months ago. Hough says that the security flaw has not been fixed.
According to The Register:
We were able to verify it is possible to access masses of public and private images without logging in nor installing the app.The app should place strict access restrictions on which images should be viewable, so that if one user allows another user to see a sext pic, only the receiver should be allowed to see it. Instead, it is possible to see everyone’s naked selfies, to be frank.
Obviously, having the private images of users accessible to the whole world is not an intended function of the app. Apart from leaking highly compromising snaps of folks, some of its users may not be publicly out as gay or bi, and thus a trove of compromising images of them sitting on the web is not particularly great for their welfare – particularly if homosexuality is illegal where they live.
According to Hough, there does not appear to be a way to connect x-rated photos and videos to a specific person’s profiles, “although it may be possible to make educated guesses depending on how skilled the attacker is.”
Jack’d parent company Online Buddies did not respond to The Register’s repeated requests for an explanation.
Update: According to Ars Technica, the security issues first reported by The Register appear to extend beyond just leaking people’s private pictures and videos.
The app also reportedly exposed users’ locations and other information that could potentially expose a person’s identity.
Both Hough and Ars Technica have now confirmed that the security flaw appears to be corrected; however, Hough says he plans to continue testing to ensure there are no other ways around the fix.