by Lisa Vaas
Dating/hook-up app Jack’d is publicly sharing, without permission, photos that users think they’re sharing privately.
The Android version of the app has been downloaded 110,562 times from Google’s Play store, and it’s also available on iOS.
Jack’d is designed to help gay, bi and curious guys to connect, chat, share, and meet on a worldwide basis. That includes enabling them to swap private and public photos.
But as it turns out, what should be its “private” photos… aren’t.
Unfortunately, as the Register reported on Tuesday, anyone with a web browser who knows where to look can access any Jack’d user’s photos, be they private or public – all without authentication or even the need to sign in to the app. Nor are there any limits in place: anyone can download the entire image database for whatever mischief they want to get into, be it blackmail or outing somebody in a country where homosexuality is illegal and/or gays are harassed.
The finding comes from researcher Oliver Hough, who told the Register that he reported the security bug to the Jack’d programming team three months ago. Whoever’s behind the app hasn’t yet supplied a fix for the security glitch, which the Register has confirmed.
Given the sensitive nature of the photos that are up for grabs to one and all, the publication chose to publish its report – without giving out many details – rather than leave users’ content in danger while waiting for the Jack’d team to respond.
The thin silver lining
On the just-about-plus side, there’s apparently no easy way to connect photos to specific individuals’ profiles. Hough said that it might be possible to make educated guesses, though, depending on how slick a given attacker …
Author: Lisa Vaas