Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Researchers have discovered almost 1.5 million images of specialized appointments applications, many of which are explicit, which are stored online without password protection, leaving them vulnerable to computer pirates and extortionists.
Any person with the link could see the private photos of five platforms developed by Mad Mobile: Kink sites BDSM People and Chica, and LGBT Apps Pink, Brish and Translve.
These services are used by an estimated 800,000 to 900,000 people.
Mad Mobile was first warned about the security defect on January 20, but did not take action until the BBC sent an email on Friday.
Since then they have fixed it, but they have not said how it happened or why they could not protect the confidential images.
CyberNews Nazarnew Aras ethical hacker first alerted the company about the security hole after finding the location of online storage used by applications by analyzing the code that feeds the services.
He was surprised to access the photos without encrypting and unprotected without any password.
“The first application I investigated was BDSM People, and the first image in the folder was a naked man of about thirty years,” he said.
“As soon as I saw it I realized that this folder should not have been public.”
The images were not limited to those of the profiles, he said: They included images that had been sent privately in messages, and even some that had been eliminated by moderators.
Nazarovas said that the discovery of unprotected sensitive material involves a significant risk for platform users.
Malicious computer pirates could have found extorted images and people.
There is also a risk for those living in hostile countries to LGBT people.
It was discovered that none of the text content of private messages is stored in this way and the images are not labeled with user names or real names, which would make the elaboration of specific attacks in users more complex.
In an email, Mad Mobile said the researcher was grateful for discovering vulnerability in applications to prevent data violation from occurring.
But there is no guarantee that Mr. Nazarovas was the only hacker who found the image stash.
“We appreciate your work and we have already taken the necessary measures to address the problem,” said a spokesman for Mad Mobile. “An additional update will be launched for applications in the App Store in the next few days.”
The company did not answer more questions about where the company is and why it took months to address the problem after multiple warnings of researchers.
In general, security researchers wait until a vulnerability is solved before publishing an online report, in case it puts users a higher risk of attack.
But Mr. Nazarovas and his team decided to give the alarm on Thursday while the problem was still live, since they were worried that the company was not doing anything to fix it.
“It is always a difficult decision, but we believe that the public needs to know to protect,” he said.
In 2015, malicious computer pirates stole a large amount of customer data on Ashley Madison users, a dating website for married people who want to deceive their spouse.
