A data bug in the gay hook-up app Jack’d allows anyone to download your private photos.
As the Register reported on Tuesday, anyone with a web browser who knows where to look can access any Jack’d user’s photos, “be they private or public – all without authentication or even the need to sign in to the app. Nor are there any limits in place: anyone can download the entire image database for whatever mischief they want to get into, be it blackmail or outing somebody in a country where homosexuality is illegal and/or gays are harassed.”
The phone application, installed more than 110,000 times on Android devices and also available for iOS, lets primarily gay and bi men chat each other up, exchange private and public pics, and arrange to meet.
The Register says that makers of the app have known about the security concerns for more than three months.
Researcher Oliver Hough, who said he found and reported the security shortcoming to the Jack’d team, demonstrated to The Register how the programming bug can be exploited.
Hough said “The app should place strict access restrictions on which images should be viewable, so that if one user allows another user to see a sext pic, only the receiver should be allowed to see it. Instead, it is possible to see everyone’s naked selfies, to be frank.”
A query to Jack’d was not returned by press time.