A recent investigation by Cybernews has revealed that several popular sugar dating, BDSM, and LGBTQ+ apps on Apple’s iOS have leaked highly sensitive user content, including private images. The affected apps include BDSM People, CHICA, TRANSLOVE, PINK, and BRISH, which were found to have publicly accessible secrets published alongside their code.
The leaked secrets included API keys, passwords, and encryption keys, posing a significant risk to users’ privacy and security. This is particularly concerning given the nature of the apps, as many users share highly explicit and sensitive content with each other. Malicious actors can exploit this information for extortion, social engineering, and reputational damage.
The leak has put users at high risk of harassment, persecution, and damage to their professional reputation, especially in countries where homosexuality is still illegal. Although the leaked buckets did not contain user identities like usernames or messages, threat actors could use reverse image searching techniques to uncover individuals behind the photos.
The investigation found that all affected apps were developed by M.A.D Mobile Apps Developers Limited, which shared a similar architecture, leading to identical exposure of sensitive data. The apps are exclusive to iOS and do not have Android or web alternatives. Cybernews downloaded 156,000 iOS apps and discovered that 71% of the analyzed apps leak at least one secret, with an average app exposing 5.2 secrets.
The investigation highlights a significant security flaw in the development practices of these apps, leaving users vulnerable to data breaches. The affected apps include CHICA, which leaked images from private messages, and BDSM People – Kinky Fetish Dating, where access was gained to a storage bucket containing over 541,000 images.
Source: https://cybernews.com/security/ios-dating-apps-leak-private-photos