Data leaks have been the main protagonists of this year 2020. Technology titans like WhatsApp and Nintendo have fallen victim to these problems, at the expense of users’ privacy and security. Now it’s the turn of several dating apps, which according to vpnMentor research have suffered a security breach that leaked hundreds of thousands of images of their users.
The team led by Ran Locar and Noam Rotem has determined that some of these apps have suffered a massive leak of sensitive photos through unconventional dating apps. That is, apps designed for people with strange philias.
The cause would be in a common developer among them, which has been the nexus of the disaster. Specifically, all this information was stored in a single account hosted onAmazon Web Services and that, now, has dangerously exposed millions of users as well as the entire infrastructure of AWS of several apps.
Massive filtering of intimate photos
The AWS account that the common developer of all these apps had was misconfigured; it contained data belonging to a wide selection of niches and very specific fetish dating apps. Some of the affected apps are GHunt, Casualx, PumaD or 3fun.
The files of each app were stored in a misconfigured AWS S3 information container within a single shared AWS account. These S3s are named after the dating app that originally gave rise to the images, which determines their origin. vpnMentor contacted some of the apps and the vast majority of these ‘buckets’ were closed, which is confirmed by the common developer.
Not only images were revealed; voice messages, audio recordings, user photos, chat screenshots, evidence of financial transactions (with the consequent danger to banking privacy), etc. were filtered. The buckets did not have any personally identifiable information, but the images stored there did expose data such as names, personal details, banking details, etc.
Extortion and intimidation
This filtration has an important aspect, since its origin lies in apps specialized in fetishes. These users are especially vulnerable to very specific forms of attack, such as intimidation, extortion and blackmail due to their philias. The dating apps we have mentioned (only some of a long list) are absolutely legal, and the relationships they have there are consensual and legal.
However, the particularly private nature of the data filtered could be used to exploit users by asking for rewards or blackmailing them to prevent this information from coming to light. Hackers could also create false profiles for user recruitment schemes to abuse or defraud others. Another option would be threats that would use the personal data in the images as a weapon.
Worst of all, this discovery was almost incidental. vpnMentor conducted research as part of a web mapping project; researchers used port scanning to examine particular blocks of IP and test systems for vulnerabilities. That’s when free access to AWS buckets was discovered.