Dating app Jack’d fined $240K for leaving private photos up for a year

A $240,000 fine has been imposed on Online Buddies, the company behind gay/bi/trans/curious dating app Jack’d – for leaving users’ private, often nude, photos up for grabs for a year.

“Only you can see your private pictures until you unlock them for someone else,” Jack’d promised, even after a researcher found that that was far from true. In fact, anyone with a web browser who knew where to look could access any Jack’d user’s photos, be they private or public – all without authentication or even the need to sign in to the app.

The Office of New York Attorney General Letitia James on Friday announced the settlement, handed down for:

Failure to protect private photos of users of its ‘Jack’d’ dating application … and the nude images of approximately 1,900 users in the gay, bisexual, and transgender community.

From the announcement:

Although the company represented to users that it had security measures in place to safeguard users’ information, and that certain photos would be marked ‘private,’ the company failed to implement reasonable protections to keep those photos private, and continued to leave security vulnerabilities unfixed for a year after being alerted to the problem.

The Attorney General office’s release said that Jack’d – a dating app that claims to have hundreds of thousands of active users worldwide and which markets itself as a tool to help men in the LGBTQIA+ community to hook up and date – “explicitly and implicitly” assures users that its private pictures feature can be used to exchange nude images securely and privately.

The app interface presents users with two screens when they upload selfies: one for photos designated as “public” and another for photos designated as “private.” That private page shouldn’t be viewable to anyone for whom users haven’t granted access.

The app’s public photos screen displays a message stating, ‘[T]ake a selfie. Remember, no nudity allowed.’ However, when the user navigates to the private photos screen, the message about nudity being prohibited disappears, and the new message focuses on the user’s ability to limit who can see private pictures by specifically stating, ‘Only you can see your private pictures until you unlock them for someone else.’

In February 2019, researcher Oliver Hough finally went public after having told Online Buddies about the security bug a year prior.

Not only could anybody get at users’ photos, but the Jack’d app also neglected to have any limits in place: anyone could have downloaded the entire image database for whatever mischief they wanted to get into, be it blackmail or outing somebody in a country where homosexuality is illegal and/or leads to harassment.

Given the sensitive nature of the photos that were exposed, publications including the Register chose to publish Hough’s findings – without giving out many details – rather than leave users’ content in danger while waiting for the Jack’d team to respond.

Photos were exposed for a year

The New York State Attorney General’s Office conducted an investigation that confirmed that senior management had been told about the vulnerability – in fact, two vulnerabilities – back in February 2018.

Its investigation found that Online Buddies had failed to secure user data, including intimate photos, that it stored using Amazon Web Services Simple Storage Service (S3). Management had also been told about a second vulnerability that was caused by the failure to secure the app’s interfaces to backend data.

The vulnerabilities could have exposed users’ personally identifiable information (PII), including location data, device ID, operating system version, last login date, and hashed password. Combined, they also left the door open to attackers getting at private photos, public photos (that may have included the user’s face), and other PII, including their location, device ID, and when they last used the app.

James’s office said that the company knew how serious these vulnerabilities were, but that it was only after the press came knocking on its door that the it acknowledged them. Jack’d fixed the problem the same day – 7 February 2019 – that Ars Technica reported about it.

It’s not just Jack’d

Unfortunately, spilling highly personal data is more or less par for the course with mobile apps, including the often extremely sensitive personal data collected by, and shared via, dating apps.

Besides Jack’d, Grindr is an example: as of September 2018, the premium gay dating app was still exposing the precise location of its more than 3.6 million active users, in addition to their body types, sexual preferences, relationship status, and HIV status, after five years of controversy over the app’s oversharing.

Another frightening example is that of Hzone, the dating site for HIV-positive people that was leaking sensitive user data in 2015.

Hzone showed the same lack of response after being notified that Online Buddies did: For days after being told about its leak, sensitive data was still vulnerable, including users’ date of birth, religion, relationship status, country, email address, ethnicity, height, last login IP address, username, orientation, number of children, password hash, nicknames, political views and sexual life experiences, profile photos, and messages that often contained sensitive data about their diagnosis.

User beware

You always have to be careful about what sensitive data you share. You always need to bear in mind that data gets spilled. The type of data spilled by dating apps is of a particularly sensitive nature, though, which makes it all the more concerning when those who promise to protect it and keep it secure do nothing of the sort.

User, beware. While any app or online service can have a leak or breach, a failure to timely respond to notification, plus a failure to put in safeguards after learning of that data breach, are a very bad sign.