Privacy disaster as LGBTQ+ and BDSM dating apps leak private photos.

Comments

• MissGutsy@lemmy.blahaj.zone ⁨5⁩ ⁨days⁩ ago

  Cybernews researchers have found that BDSM People, CHICA, TRANSLOVE, PINK, and BRISH apps had publicly accessible secrets published together with the apps’ code.

  All of the affected apps are developed by M.A.D Mobile Apps Developers Limited. Their identical architecture explains why the same type of sensitive data was exposed.

  What secrets were leaked?

  • API Key
  • Client ID
  • Google App ID
  • Project ID
  • Reversed Client ID
  • Storage Bucket
  • GAD Application Identifier
  • Database URL

  Exposing them is dangerous, as credentials placed in client applications are accessible to anyone, and threat actors can easily abuse them to gain access to systems. In this case, the most dangerous of leaked secrets granted access to user photos located in Google Cloud Storage buckets, which had no passwords set up.

  In total, nearly 1.5 million user-uploaded images, including profile photos, public posts, profile verification images, photos removed for rule violations, and private photos sent through direct messages, were left publicly accessible to anyone.

  So the devs were inexperienced in secure architectures and put a bunch of stuff on the client which should probably have been on the server side. They then made multiple dating apps with this faulty infrastructure by copy-pasting it everywhere.

  I hope they are registered in a country with strong data privacy laws, so they have to feel the consequences of their mismanagement

  source

  • MonkderVierte@lemmy.ml ⁨4⁩ ⁨days⁩ ago

    Inexperienced? This is not-giving-a-fuck level.

    source

    • sugar_in_your_tea@sh.itjust.works ⁨4⁩ ⁨days⁩ ago

      No, it’s lack of experience. When I was a junior dev, I had a hard enough time understanding how things worked, much less understanding how they could be compromised by an attacker.

      Junior devs need senior devs to learn that kind of stuff.

      source

      • -> View More Comments
  • Flax_vert@feddit.uk ⁨5⁩ ⁨days⁩ ago

    Do you reckon this app could have been vibecoded/a product of AI? Or massive use of AI in development? I’d know not to do this as a teenager when I was beginning to tinker with making apps, nevermind an actual business.

    source

    • taladar@sh.itjust.works ⁨5⁩ ⁨days⁩ ago

      I know for a fact that a lot of applications made these mistakes before AI was around so while AI is a possibility it is absolutely not necessary.

      source

      • -> View More Comments
  • taiyang@lemmy.world ⁨4⁩ ⁨days⁩ ago

    I’ve met the type who run businesses like that, and they likely do deserve punishment for it. My own experience involved someone running gray legality betting apps, and the owner was a cheapskate who got unpaid interns and filipino outsourced work to build their app. Guy didn’t even pay 'em sometimes.

    Granted, you could also hire inexperienced people if you’re a good person with no financial investor, but that I’ve mostly seen with education apps and other low profit endeavors. Sex stuff definitely is someone trying to score cash.

    source
  • azalty@jlai.lu ⁨4⁩ ⁨days⁩ ago

    The illusion of choice

    A lot of “normal” dating apps are also owned by the same companies

    source
  • Rexios@lemm.ee ⁨4⁩ ⁨days⁩ ago

    Every single one of those “secrets” is publicly available information for every single Firebase project. The real issue is the developers didn’t have proper access control checks.

    source
• balder1991@lemmy.world ⁨4⁩ ⁨days⁩ ago

  Brace yourselves, because this is only going to get worse with the current “vibe coding” trend.

  source

  • CheeseToastie@lazysoci.al ⁨4⁩ ⁨days⁩ ago

    Can you ELI5?

    source

    • Vendetta9076@sh.itjust.works ⁨4⁩ ⁨days⁩ ago

      Vibe coding is the current trend of having an LLM build your codebase for you then shipping it without attempting to understand the codebase.

      Most developers are using LLMS to some extent to speed up their coding, as cursor and Claude are really good at removing toil. But vibe coders have the LLM build the entire thing and don’t even know how it works.

      source

      • -> View More Comments
  • msage@programming.dev ⁨4⁩ ⁨days⁩ ago

    So we are moving away from >1GB node_modules finally? Or is it too soon?

    source

    • Little8Lost@lemmy.world ⁨4⁩ ⁨days⁩ ago

      Its going to be 1GB node_modules handled by garbage ai code
      ai is only good at doing smaller scripts but loosing connections and understandment in larger codebases, combined with people who cant program well (i mean not only coding but debugging… as well) also called vibe programmers its going to be a mess

      if a product claims it has vibecoding: find an alternative!

      source

      • -> View More Comments
    • FourWaveforms@lemm.ee ⁨4⁩ ⁨days⁩ ago

      I love feeding my bloated node_modules

      source
• CheeseToastie@lazysoci.al ⁨4⁩ ⁨days⁩ ago

  This is devastating. The LGBT community are often hiding their true selves because of family, colleagues, culture etc. People will be destroyed.

  source
• CluckN@lemmy.world ⁨4⁩ ⁨days⁩ ago

  I wonder how many conservative politicians they’ll find.

  source
• azalty@jlai.lu ⁨4⁩ ⁨days⁩ ago

  Use Signal for more private stuff like this 👀

  source
• PumaStoleMyBluff@lemmy.world ⁨4⁩ ⁨days⁩ ago

  Anyone who uses Grindr, please be aware that any photos you send are cached and stored unencrypted in plain old folders on the receiver’s phone, regardless of whether they were expiring or in an album that you later revoked. It’s nearly trivial to grab any photo someone sends you, with no watermark or screenshot notification.

  source
• thatradomguy@lemmy.world ⁨4⁩ ⁨days⁩ ago

  Just don’t send nudes… why do people think other people won’t figure out how to screenshot or just keep photos forever? Even if you trust the person, the person could get hacked… the pwned guy got pwned for Jehova’s sake. Just stop sending that shit.

  source