Aussie kink and sugar dating communities at risk after 1.5m photos leaked from BDSM People, CHICA, TRANSLOVE, PINK, and BRISH apps
A major security flaw in BDSM and sugar dating apps has put Victoria’s kinky community at risk, exposing 1.5 million private photos.
Melbourne City
Don't miss out on the headlines from Melbourne City. Followed categories will be added to My News.
A major security flaw has exposed 1.5 million private photos — including explicit images — shared on iPhone dating apps catering to LGBTQ+, BDSM, and sugar dating communities.
Explicit apps BDSM People, CHICA, TRANSLOVE, PINK, and BRISH left sensitive and vulnerable user data publicly accessible for cyber criminals — Cybernews research has found.
The apps — developed by UK-based M. A. D Mobile Apps Developers Limited — allowed unauthorised access to storage buckets containing highly sensitive content through a coding flaw putting users at risk of extortion and social engineering attacks.
It included user-uploaded images, profile photos, public posts, profile verification images, photos removed for rule violations and private photos sent through direct messages.
The BDSM People (Kinky Fetish Dating) app — which states to be a safe, secure, and discreet way to meet like-minded people for dating purposes — alone leaked 541,000 private images, including 90,000 from direct messages.
The flaw left in the code allowed access to 1.6m files and more than 128GB of data including 541,000 images people sent to each other or uploaded to the app.
Sugar dating app CHICA — downloaded over 80,000 times — exposed 133,000 photos including pictures sent in private chats.
LGBTQ+ dating apps BRISH, PINK, and TRANSLOVE collectively leaked over 1.1 million images.
Monash University cybersecurity lecturer Philip Phair said breaches on explicit dating apps were particularly concerning as they could expose people who would prefer to keep their use of such platforms private.
“It puts an extra level of sensitivity and concern for those who might have their information leaked like public figures or just people in society,” he said.
Mr Phair said the scale of the leak raised serious concerns about the security practices of companies behind explicit dating apps.
“Cyber criminals will try and monetise data breaches as many times as possible through putting it on the dark web where they’ll make it for sale,” he said.
“They might do cyber extortion. They particularly look for public figures or people (in countries) where being on these (explicit sexual apps) is illegal.”
Cybernews researchers uncovered the leak as part of a broader investigation into 156,000 iOS apps — about eight per cent of all apps on the Apple Store — finding developers had left plaintext credentials in application code, making it easily accessible to hackers.
M. A. D Mobile Apps Developers Limited spokesman Patrick Davis said the vulnerabilities in their apps had been addressed following the security flaw discovery.
“Fortunately, this was not an actual data breach caused by malicious actors, but rather a controlled experiment conducted by Cybernews,” he said in a statement.
“We also did not detect any real downloads. That said, this does not absolve us of responsibility.
“We are grateful to the Cybernews team for their work and have already fixed the vulnerabilities. Our users can rest easy.”
Apple iOS was contacted for comment.
More Coverage
‘She loved life’: Children left behind after tragic death of mum
The Mornington community has rallied to support the young children of a “great mum” who “shone with her children” after her tragic death has left her family reeling.
Sex offender con attacks custody officers during virtual court hearing
A convicted sex offender who once sparked a statewide manhunt repeatedly kicked, punched and spat on remand officers during a virtual court appearance that had to be aborted.