The vpnMentor research team discovered a data leak (photos, including erotic ones, screenshots of personal correspondence and money transfer transactions, audio recordings and some personally identifiable information) of users of highly specialized dating applications. Hundreds of thousands users of specific applications may lose their privacy.
Applications are designed especially for people with a certain lifestyle and alternative sexual preferences (representatives of the LGBT community, fetishists, etc.). One application is even dedicated to people with sexually transmitted diseases.While data from dating and hookup apps are always sensitive and private, users of the apps exposed to this data leak would be particularly vulnerable to various forms of attacks, bullying, and extortion”, — write vpnMentor specialists.
The leak affected the following services: 3somes, Cougary, Gay Daddy Bear, Xpal, BBW Dating, Casualx, SugarD, Herpes Dating, etc. All applications have the same developer, so the photos and other materials uploaded to them are stored in the same Amazon Web Services (AWS) account. According to the researchers, the login and password for authorization in it are extremely unreliable.
In addition to compromising the privacy of hundreds of thousands of users, the leak reveals the entire AWS infrastructure. According to vpnMentor estimates, because of unreliable credentials, 20,439,462 files with a total volume of 845 GB, belonging to users in the USA and other countries, were at risk of compromise.
User files for each application were stored in separate AWS S3 repositories in the same AWS account. The storages were misconfigured, while their names corresponded to the names of the applications.
Using the images from various apps, hackers could create effective fake profiles for catfishing schemes, to defraud and abuse unwary users. Any exposed PII data creates much more significant risks to users. Given the nature of many of these apps – in some cases involving financial transactions, fetishes, and STIs – having your presence on the app made public could create immense stress in your personal life”, — write vpnMentor’s IS specialists.
By the way, we already wrote, what consequences can have such data leaks.
Researchers could contact the owner of only one applications – 3somes. The owners quickly responded to the problem report, and on the same day all the stores were protected, which confirms the theory of the same developer.
