New Yorks attorney general has settled a complaint over gay, bisexual, and queer dating app Jackd, whose parent company left users private photos exposed online for at least a year. The company, Online Buddies, will pay $240,000 and implement a “comprehensive security program” to prevent similar incidents in the future.
The Register and Ars Technica first reported on the Jackd security flaw in February of 2019, noting that security researcher Oliver Hough had informed the company a year earlier to no avail. The popular dating app had uploaded photos to a publicly accessible Amazon Web Services storage bucket, even when users believed the pictures were private. The exposed data included nude photos and pictures that revealed a users location — potentially putting them at risk of blackmail or even arrest in some countries. Jackd fixed the problem the day Ars published its story.
The office of Attorney General Letitia James said that an investigation had confirmed this privacy problem. It also confirmed that “senior management of Online Buddies had been told in February 2018 of this vulnerability,” as well as another problem that could expose data about users. “While Online Buddies immediately recognized the seriousness of its vulnerabilities, the company failed to fix the problems for an entire year, and only after repeated inquiries from the press,” says a press release.
James statement says that Jackd had around 7,000 active New York users during that year, around 1,900 of whom had “private images that could be nude photographs.” Online Buddies currently says Jackd has over 6 million users around the world, and it describes itself as the worlds “most culturally diverse gay dating app.” That means Jackd serves many men who are particularly vulnerable to discrimination if their personal data is exposed.
While Online Buddies long delay was a big part of the problem here, security flaws — or outright sharing of sensitive information — are an ongoing problem in mobile apps, in
