iOS apps that cater to sugar dating, BDSM, and LGBTQ+ communities – where privacy is critical – have leaked highly sensitive content, putting users of these apps at risk.
Cybernews researchers discovered that apps from BDSM People, CHICA, TRANSLOVE, PINK, and BRISH had publicly accessible secrets published together with the apps’ code, including API keys, passwords, and encryption keys.
It is highly dangerous to expose these, as credentials in client applications are accessible to anyone, and can be abused by malicious actors to gain a foothold on systems.
In this instance, the most dangerous of leaked secrets granted access to user photos located in Google Cloud Storage buckets, which had no passwords set up.
“In total, nearly 1.5 million user-uploaded images, including profile photos, public posts, profile verification images, photos removed for rule violations, and private photos sent through direct messages, were left publicly accessible to anyone,” the researchers said, adding that they have contacted M.A.D Mobile Apps Developers Limited for comment, but no response has been received yet.
Fearing For Their Privacy and Dignity
The notion that images of this nature have been exposed is a nightmare for many, who now fear for their privacy and dignity. Considering the nature of these apps, the photos shared between users are often sensitive and explicit.
“Malicious actors often exploit highly sensitive leaked content for extortion, social engineering, and attempts to damage a person’s professional reputation. Moreover, impacted individuals could be put at elevated risk of harassment. With homosexuality being illegal in some countries, the leak could put app users at high risk of persecution,” the researchers added.
Cybernews said that although the leaky storage buckets don’t explicitly contain data on user identities such as usernames, emails, or messages, threat actors could still find out who the people behind the pics are using OSINT techniques such as reverse image searching.
Moreover, malefactors would be able to fashion highly convincing attacks using this information. They could, for instance, deploy scrapers or monitoring scripts to access new data in real-time, enabling them to extort and socially engineer attacks with high precision.
A Large-scale Investigation
Cybernews said it discovered the leak after a wide-scale investigation. The company’s researchers downloaded 156,000 iOS apps, approximately 8% of all apps on the Apple Store. They found that app developers are leaving plaintext credentials in the application code which is accessible to anyone.
“The findings revealed staggering numbers: 71% of the analyzed apps leak at least one secret, with an average app’s code exposing 5.2 secrets,” Cybernews said.
Unsafe, Unsecured, Indiscreet
For instance, “BDSM People – Kinky Fetish Dating” which claims to be a “safe, secure, and discreet” way to meet individuals with similar interests for dating purposes, proved to be anything but.
What was left in the code permitted access to a storage bucket with more than 128GB and a whopping 1.6 million files—among which were some 541,000 images users sent to one other or uploaded to the app.
What was exposed included 18,000 photos removed by moderators; 270,000 user profile photos; 70,000 photos from public posts; 90,000 photos from user chats; 65,000 blurred photos, and 28,000 profile verification photos.
No Sugaring the Pill
Similarly, CHICA – Selective Luxy Dating, which has been downloaded more than 80,000 times, focuses on sugar dating (when a financially successful “sugar daddy” or “sugar mommy”, offers financial support or gifts in exchange for companionship or intimacy). Again, it had access to the storage bucket hard-coded in its code.
In this instance, the leaky bucket contained nearly 45GB of data, including 133,000 images of app users, several of which were shared privately in DMs. Exposed information included 2,200 Images sent via chats; 11,000 photos uploaded as posts; 4,700 images removed by the moderators; 94,000 profile photos; and 23,000 photos uploaded for profile verification.
Not Just Possible, Inevitable
“The recent leak of dating app users’ images online serves as a reminder of the security challenges facing many mobile application developers,” commented Jack Kerr, Director at Appdome. “In this case, nearly 1.5 million unencrypted explicit images were left completely exposed. Intentional incidents like this carry serious implications for user privacy and trust, this can result in reputational and financial repercussions for the organisations involved.”
He says too many mobile apps still ship without adequate protections which makes incidents like this not just possible, but inevitable.
“Security researchers regularly break white-box implementations (obfuscation), extracting hard-coded secrets that should never have been stored in an insecure manner to begin with. When attackers can extract the data using freely available reverse engineering tools like Frida, the consequences are severe: lack of consumer trust, exposure of vulnerable users and, ultimately, loss of business,” says Kerr.
If mobile businesses want to avoid this kind of fallout, he says developers need to implement real encryption, including encrypting hard coded API endpoints, encrypting sensitive data at rest, securing all communications, adding runtime protections and using mobile bot defense.
“Instead of placing trust in proprietary white-box solutions, mobile developers should implement real encryption backed by well-established cryptographic principles and best practices. The security of mobile applications depends on it.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.