Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy Software Security

Dating Apps Exposed 845GB of Explicit Photos, Chats, and More (wired.com) 43

Lily Hay Newman writes via Wired: Security researchers Noam Rotem and Ran Locar were scanning the open internet on May 24 when they stumbled upon a collection of publicly accessible Amazon Web Services "buckets." Each contained a trove of data from a different specialized dating app, including 3somes, Cougary, Gay Daddy Bear, Xpal, BBW Dating, Casualx, SugarD, Herpes Dating, and GHunt. In all, the researchers found 845 gigabytes and close to 2.5 million records, likely representing data from hundreds of thousands of users. They are publishing their findings today with vpnMentor.

The information was particularly sensitive and included sexually explicit photos and audio recordings. The researchers also found screenshots of private chats from other platforms and receipts for payments, sent between users within the app as part of the relationships they were building. And though the exposed data included limited "personally identifying information," like real names, birthdays, or email addresses, the researchers warn that a motivated hacker could have used the photos and other miscellaneous information available to identify many users. The data may not have actually been breached, but the potential was there.
"The researchers don't know whether anyone else discovered the exposed trove before they did," the report adds. "If you use one of the affected apps there's not a lot you can do to protect against the possibility that the data was stolen before the researchers found it. There wasn't a specific trove of passwords in the exposed data, so changing your password likely won't do much."

All you can really do is hope the developer locks down the cloud infrastructure before anyone grabs the information.
This discussion has been archived. No new comments can be posted.

Dating Apps Exposed 845GB of Explicit Photos, Chats, and More

Comments Filter:
  • by Anonymous Coward on Tuesday June 16, 2020 @07:55PM (#60191082)
    At least nobody on slashdot was affected.
  • The fact is, no one cares enough to stay away from these apps.
    • Comment removed based on user account deletion
      • I disagree. If I was a bachelor looking for a special kind of lay, I wouldn't mind having my app data be exposed to all. I control what data I give them, and I believe that to get laid you don't need to give data that are too private.

      • by gweihir ( 88907 )

        Actually, no. It is non-experts relying on a technical product actually being created and maintained by competent engineers. Like if you buy an electrical stove, you can rely on it not catching fire or electrocuting you, or if you buy a car, you can rely on the brakes working.

        Unfortunately, there still is this utter idiocy of software not being regarded as technology that needs to be done by competent and qualified engineers. It is pretty easy connecting some resistance wires to electricity to heat somethin

      • High IQ/Low IQ. You are probably going to have the urge to have Sex. That is why Dating Sites, and Porn Sites do so well. We kinda want to have sex. Our High IQ who that this site that tailors to your particular kink is going to have a battle of our Advance brains which are only a few million years old, compared to our billion year old sex drive.

        Besides if you so smart to judge the security of a web app, you probably aren't going to like any web-app. Heck you shouldn't be on Slashdot, because I am sure

  • Let's just put unencrypted data on a publicly accessable S3 bucket..what could possibly go wrong?
    • Because the execs don't give a fuck. When you're raking in cash so fast you can literally make a year's salary in seconds, you get detached from reality.

      They need to come back down to Earth.

      • To be fair the vast majority of people do NOT want to see the vast majority of those pictures. It's not some secret Trove of Smokin' Hot Bodies.
      • by gweihir ( 88907 )

        Indeed. That needs to come in via liability and personal punishment on negligence. I mean, negligence does not get any more gross than not securing a cloud container. That is not a simple mistake. That requires a complete amateur having done it and then nobody ever checking it at all. Hence the gross negligence is on the management side here and that should come with personal liability.

    • by fermion ( 181285 )
      It does not matter where the data is. We have had breaches forever. Even if you put the pictures in a locked file cabinet under armed guard, if someone is motivated they will get them. Nudes and personal data is an attractive nuisance.

      Pamela Anderson private tape with her husband was locked in safe. It was stolen by an electrician looking for glory. It was put online. Paris Hilton’s sex tape was leaked.

      The difference is now Is two fold. First, there is no barrier to publication. No one is going to

  • by chipperdog ( 169552 ) on Tuesday June 16, 2020 @08:11PM (#60191120) Homepage
    Patrons on the exhibitionist dating app are still hoping for their stuff to be found :-)
  • > "We were amazed by the size and how sensitive the data was," Locar says.

  • They all look the same :/ lol
  • by Kohath ( 38547 )

    I guess ZooOrgy and CaveBanginHippos are safe then.

  • I've noticed the newest kind of spam I've seen in my gmail filter is an avalanche of scammers claiming they have unflattering pictures of me. Considering how thoroughly uninteresting my sexual history is, I don't take them the least bit serious (even more so the ones who don't even get any part of my name right).
  • by raymorris ( 2726007 ) on Tuesday June 16, 2020 @10:14PM (#60191402) Journal

    That's ratuer unfortunate.

      All those nudes just out there, and it's all from Gay Daddy Bear, BBW Dating, Herpes Dating, etc. :(

    Let me know when there is a leak from ThatHottieYouLikedInHighSchool.com

    • by raymorris ( 2726007 ) on Tuesday June 16, 2020 @10:20PM (#60191414) Journal

      It just occurred to me that the hotties I liked in high school arw now old ladies with four grown kids, most about 150 pounds heavier. They're still great people. I think I'll stick to their fully-clothed Facebook pics, now that I think about it.

    • by AmiMoJo ( 196126 )

      Herpes Dating sounds like a really bad idea. Presumably it's for people with herpes to date other people with herpes, theory being they can't get herpes twice... But they can. Same with HIV positive dating and porn.

      • I suppose if you have herpes, and many people do, it's probably safer be with the someone else who has it than someone who does not.

        It's also probably - how do I say this? If you have herpes, and of course you're honest with your partner, somebody in the same boat may have less likely to run away.

  • Hahaha oh my god... this site's readership.... wow... currently 14 comments and none of them have anything to do with tech, security, etc. Every single comment so far is "hurr hurr hurr, they're all ugly, hurr hurr hurr no one wants those pics, amiright?"
    • by gweihir ( 88907 )

      Even complete morons can get online now. One of the downsides of technological advances. And the one thing the human race has in endless supply are morons, as the comments nicely show.

    • by dwpro ( 520418 )
      Your critique is right generally but given the lack of specifics I don't see what else we have to discuss. Giving this type of data to one-off dating apps is a good way to lose control of it, one way or another. A fool and his data are soon parted.
    • thank you for the summary - i'm from the future, and it's the same up there.

  • So. Herpes Dating is actually a thing. Sigh.
    • Well, I imagine that telling a date that you have herpes would tend to be a major turn off for most. Meeting someone who also already has herpes would remove that stigma.

  • More dirt to dig up on the candiates and ther spouses/childen Fun Fun Fun. I can think of a few countries that will have a backup copy. May the leaks come fast and naked.
  • by Anonymous Coward
    From the actual article: "The researchers do not identify the company behind the apps, but records on Apple Inc.’s App Store for 3somes indicate the developer is Chang’an Mao, a name written in simplified Chinese. Chang’an is an ancient capital of China, while Mao, derived from Mao Zedong, is sometimes a slang term used to mean money because Mao appears on all Chinese banknotes. A Google Play listing for Cougary doesn’t provide a company name but gives a location for the developer a
    • Most people don't think about where their data goes, or who has access, they don't care. Which is kind of sad. I think seeing the development or admin side of one of these services would be quite eye opening for most people.

  • ...aaand this is why services and software should provide a minimum of security. I am not talking about mathematically proving any line of code is resilient against every possible exploit, but something like "you must use https", "you must not put stuff in public buckets" and "you must patch everything" is necessary IMO. Unfortunately, the law moves in quite the opposite direction, for example Sony was granted a get-out-of-jail-free card by courts despite plaintiffs proving that Sony acted negligently with
    • Also, another thing would be "your app or service should not be exploitable against these common SQL-injection exploits"
    • by dwpro ( 520418 )
      Most of that seems reasonable, but "you must not put stuff in public buckets" is gonna need some work...that's how you host a website. How to distinguish what data is sensitive and secure that data could use some regulation.

      Requiring certified engineers for designing/building significant infrastructure seems like how we handle getting minimum competence and a throat to choke in other areas-- I wonder why that's never gotten a foothold.
      • Of course by "stuff" I didn't mean public data. If something is meant to be seen by everyone, it goes into a "public" bucket.
  • If you downloaded something called "Gay Daddy Bear" on your phone, you deserve to get ALL your info leaked, everywhere.

    PS: Am I the only one that started laughing uncontrollably after finding out that's a real thing?

Whoever dies with the most toys wins.

Working...