The Maker of a Gay Dating App Gets Fined After Leaking Private Photos
Should software developers and online service providers be held accountable when they fail to protect users' data? Of course they should. Is this happening in the real world? Well, Online Buddies, Inc. the maker of Jack'd, a dating application primarily aimed at gay and bisexual men, will now be forced to pay $240 thousand to The State of New York because its app ended up leaking photos and personal information of some of its users. So, there are vendors that pay for their mistakes. But are they paying the right price? Let's take a look at Online Buddies' case and find out.
A woefully insecure design
The security flaw was rooted in the dating app's design. Like any other service of this kind, Jack'd allows users to upload photos after signing up for an account. There are public and private pictures. The public ones mustn't contain nudity and are visible to anyone looking at the user's profile. Jack'd imposes no restrictions on how explicit the private pictures are. Crucially, unless they are shared with other Jack'd users, the private photos remain accessible only to their owner. At least that's what the application's interface would say.
After peeking under the app's hood, security researcher Oliver Hough found out that both public and private photos were sent to the same Amazon S3 bucket, and a few moments later, he realized that the bucket in question wasn't protected by any sort of password. In other words, the private photos of Jack'd users were visible not only to other people who had downloaded the application. They were accessible to anyone who had a browser and knew where to look. Predictably, many of the private photos were of extremely intimate nature, and their owners would have probably thought twice about uploading them if they knew that they were exposing them to the whole world.
According to Ars Technica, every photo received a sequential number which made downloading a large dump of photos even easier. The New York Attorney General's press release says that some personal data (device ID, location, and information on app usage) was also leaked, and when it first reported the breach, The Register noted that while it's difficult to link specific photos to real-world identities, "educated guesses" are possible.
Jack'd's developer buried its head in the sand and kept it there for almost a year
Speaking of The Register, it was the first online publication to report on the issue. It did it in February after Oliver Hough got in touch with it. By that time, Hough himself had spent a whopping twelve months trying to get in touch with Online Buddies and tell the software vendor what's going on. Unfortunately, all his attempts to responsibly disclose the bug and help with the resolution were unsuccessful.
Both Ars Technica and The Register also tried to get through to Jack'd's creator, but even they failed to pry some specific information like what was being done to address the issue and how long it would take. They kept the story under wraps for a while in the hope that Online Buddies will finally spring into action, but in the end, The Register decided that keeping it a secret is just as risky for the unsuspecting users whose photos were leaking. Miraculously or not, within a couple of days of The Register breaking the news, the hole was plugged, and the data was secured.
This is the bigger problem. Misconfigured cloud storage is one of the most common reasons for data leaks nowadays, and the mistakes are made by both big and small software vendors. It's crucial to deal with the problem quickly and efficiently as soon as it's discovered, though, and it's blatantly clear that Online Buddies didn't do that.
Bearing in mind how sensitive the leaked data was, we'll leave it up to you to decide whether the fine of $240 thousand is a fair punishment.