Do you reckon this app could have been vibecoded/a product of AI? Or massive use of AI in development? I’d know not to do this as a teenager when I was beginning to tinker with making apps, nevermind an actual business.
Comment on Privacy disaster as LGBTQ+ and BDSM dating apps leak private photos.
MissGutsy@lemmy.blahaj.zone 1 week ago
Cybernews researchers have found that BDSM People, CHICA, TRANSLOVE, PINK, and BRISH apps had publicly accessible secrets published together with the apps’ code.
All of the affected apps are developed by M.A.D Mobile Apps Developers Limited. Their identical architecture explains why the same type of sensitive data was exposed.
What secrets were leaked?
- API Key
- Client ID
- Google App ID
- Project ID
- Reversed Client ID
- Storage Bucket
- GAD Application Identifier
- Database URL
Exposing them is dangerous, as credentials placed in client applications are accessible to anyone, and threat actors can easily abuse them to gain access to systems. In this case, the most dangerous of leaked secrets granted access to user photos located in Google Cloud Storage buckets, which had no passwords set up.
In total, nearly 1.5 million user-uploaded images, including profile photos, public posts, profile verification images, photos removed for rule violations, and private photos sent through direct messages, were left publicly accessible to anyone.
So the devs were inexperienced in secure architectures and put a bunch of stuff on the client which should probably have been on the server side. They then made multiple dating apps with this faulty infrastructure by copy-pasting it everywhere.
I hope they are registered in a country with strong data privacy laws, so they have to feel the consequences of their mismanagement
Flax_vert@feddit.uk 1 week ago
taladar@sh.itjust.works 1 week ago
I know for a fact that a lot of applications made these mistakes before AI was around so while AI is a possibility it is absolutely not necessary.
yoshman@lemmy.world 1 week ago
I had a test engineer demand an admin password be admin/admin in production. I said absolutely not and had one of my team members change it to a 64-character password generated in a password manager. Dumbass immediately logs in and changes it to admin again. We found out when part of the pipeline broke.
So, we generated another new one, and he immediately changed it back to admin again. We were waiting for it the second time and immediately called him out on the next stand-up. He said he needs it to be admin so he doesn’t have to change his scripts. picard_facepalm.jpg
Serinus@lemmy.world 1 week ago
How is he not fired? Incompetence and ignorance is one thing, but when you combine it with effectively insubordination… well, you better be right. And he is not.
Pika@sh.itjust.works 1 week ago
my main question in this is, why does a test engineer have the credentials to change an admin password in production. Like I get that he needs to test things but I doubt he needs access to changing profile/account settings
taiyang@lemmy.world 1 week ago
I’ve met the type who run businesses like that, and they likely do deserve punishment for it. My own experience involved someone running gray legality betting apps, and the owner was a cheapskate who got unpaid interns and filipino outsourced work to build their app. Guy didn’t even pay 'em sometimes.
Granted, you could also hire inexperienced people if you’re a good person with no financial investor, but that I’ve mostly seen with education apps and other low profit endeavors. Sex stuff definitely is someone trying to score cash.
azalty@jlai.lu 1 week ago
The illusion of choice
A lot of “normal” dating apps are also owned by the same companies
Rexios@lemm.ee 1 week ago
Every single one of those “secrets” is publicly available information for every single Firebase project. The real issue is the developers didn’t have proper access control checks.
MonkderVierte@lemmy.ml 1 week ago
Inexperienced? This is not-giving-a-fuck level.
sugar_in_your_tea@sh.itjust.works 1 week ago
No, it’s lack of experience. When I was a junior dev, I had a hard enough time understanding how things worked, much less understanding how they could be compromised by an attacker.
Junior devs need senior devs to learn that kind of stuff.
PumaStoleMyBluff@lemmy.world 1 week ago
It does help if services that generate or store secrets and keys display a large warning that they should be kept secret, every time they’re viewed, no matter the experience level of the viewer. But yeah understanding why and how isn’t something that should be assumed for new devs.