A bug in a popular gay dating app that lets people download private pictures without permission has been exposed.
Researcher Oliver Hough found the bug in the app Jack’d a year ago and reported it to developers. The bug lets people download private and public pictures from Jack’d without even downloading the app.
He says he told the company about it several months ago, but never got a response. The bug has still not been fixed, according to British tech website The Register, which confirmed that private pictures could still be downloaded without permission.
While the pictures are not associated with any specific account, someone could use details associated with the pictures – like user location – to figure out who they belong to.
Not only does this put users’ intimate pictures at risk, but it could also be used to out the primarily gay and bi men who use the app and harass or discriminate against them.
Jack’d developer Online-Buddies Inc. claims that the app has over five million users and “consistently ranks among the top four gay social apps in both the App Store and Google Play.”
Even though Online-Buddies Inc. was informed of the issue last year, it wasn’t until Ars Technica said it would publish an article about it that the company moved to fix it.
According to Ars Technica, the issue should be resolved in a patch being released today.