Indecent disclosure: Gay dating app left “private” images, data exposed to Web
Sean Gallagher reports on yet another exposed Amazon bucket:
Jack’d, a “gay dating and chat” application with more than 1 million downloads from the Google Play store, has been leaving images posted by users and marked as “private” in chat sessions open to browsing on the Internet, potentially exposing the privacy of thousands of users. Photos were uploaded to an AWS S3 bucket accessible over an unsecured Web connection, identified by a sequential number. By simply traversing the range of sequential values, it was possible to view all images uploaded by Jack’d users—public or private. Additionally, location data and other metadata about users was accessible via the application’s unsecured interfaces to backend data.
Read more on Ars Technica.