Dating/hook-up app Jack’d is publicly sharing, without permission, photos that users think they’re sharing privately.
The Android version of the app has been downloaded 110,562 times from Google’s Play store, and it’s also available on iOS.
Jack’d is designed to help gay, bi and curious guys to connect, chat, share, and meet on a worldwide basis. That includes enabling them to swap private and public photos.
But as it turns out, what should be its “private” photos… aren’t.
Unfortunately, as the Register reported on Tuesday, anyone with a web browser who knows where to look can access any Jack’d user’s photos, be they private or public – all without authentication or even the need to sign in to the app. Nor are there any limits in place: anyone can download the entire image database for whatever mischief they want to get into, be it blackmail or outing somebody in a country where homosexuality is illegal and/or gays are harassed.
The finding comes from researcher Oliver Hough, who told the Register that he reported the security bug to the Jack’d programming team three months ago. Whoever’s behind the app hasn’t yet supplied a fix for the security glitch, which the Register has confirmed.
Given the sensitive nature of the photos that are up for grabs to one and all, the publication chose to publish its report – without giving out many details – rather than leave users’ content in danger while waiting for the Jack’d team to respond.
The thin silver lining
On the just-about-plus side, there’s apparently no easy way to connect photos to specific individuals’ profiles. Hough said that it might be possible to make educated guesses, though, depending on how slick a given attacker is.
This isn’t Hough’s first discovery of touchy content being left out to bake in the sun. He was the researcher who discovered another big, wide-open, no-password-required database a few months ago: in November, he reported that he’d found that a popular massage-booking app called Urban had spilled the beans on 309,000 customer profiles, including comments from their masseurs or masseuses on how creepy their customers are.
Kill your Jack’d photos
If the reports are accurate, the safest thing for users at this point is to delete their photos until the issue is fixed.
Given how sensitive the information is that gets trusted to mobile dating apps, it might also be wise to abstain from sharing too much. All too often, the apps spill highly personal data.
Besides Jack’d, Grindr is an example: as of September, the premium gay dating app was still exposing the precise location of its more than 3.6 million active users, in addition to their body types, sexual preferences, relationship status, and HIV status, after five years of controversy over the app’s oversharing.
The oversharing of that data can put gay men at risk of being stalked or arrested and imprisoned by repressive governments. As of September; anybody could still obtain exact locations of millions of cruising men, in spite of what Grindr claimed last April.
Please warn Jack’d users
As of Tuesday night, Jack’d parent company Online Buddies hadn’t responded to the Register’s repeated requests, and mine, for an explanation of its public sharing of private content.
Readers, we always ask that you share articles you find useful. But in this case, there’s a particularly pressing need, given that the issue apparently isn’t being acknowledged or addressed at this point. If you know of any Jack’d users, please do warn them that they’re at risk of having their intimate photos intercepted.