Jack’d Left Users Private Photos Exposed for a Year Before Fixing Bug

Gay dating app Jack'd deployed an update on Thursday closing a loophole that had previously left users' supposedly "private" photos open for anyone with a web browser to view. The UK paper The Register first reported the bug, which was discovered by cybersecurity researcher Oliver Hough, on Tuesday.

In a phone interview with Out, Hough says he discovered the bug while researching several different dating apps to see how they work. He was looking specifically at the information shared between the app and servers where data is stored. Hough noticed that the way Jack'd, which is popular among men of color, stored their photos allowed for anyone, even someone who did not have the app, to access them. The photos he initially accessed were public photos, so he uploaded a private photo and was able to find it.

Hough then changed numbers in the URL and was able to find photos uploaded to Jack'd around the same time as his own, Ars Technica reports. Though Hough was able to access the photos, he said that the photos were not linked to any identifying information about the user.

Hough contacted the company when he discovered the bug. Though earlier reports said that Hough emailed Jack'd about 3 months ago, screenshots shared with Out show his first emails to Jack'd date back to February 2018. Hough says he received an email back saying they'd look into it.

Plans for a phone call between Hough and Jack'd to discuss the issue never materialized and the photos stayed open and accessible until the Register published its story, prompting the app to address the issue.

"I don't feel they were quick enough to respond and I believe they only rushed to get it fixed after they knew the story was going to be published," Hough tells Out. "I'm glad they have rolled out a fix, though it took too long to get here."

After news began to spread about the bug, Jack'd told Out in an email that they would address the issue in a February 7 update. Hough confirmed to Out that the update resolved the issue and the photos are no longer accessible. Hough added that he will soon test to make sure that there are no other ways around the fix. Ars Technica also confirmed independently that the breach had been fixed.

Jack'd is not the only gay dating app that has had to deal with a data breach in the last year. In March 2018, a website called "C*ckblocked" exposed a bug in the Grindr's cybersecurity that allowed people to access a list of other users who had blocked them on the app, NBC News reported. (Disclosure: I am a former employee of Grindr.) The man who began the site, Trevor Faden, was also eventually able to access other data on user profiles like unread messages, email addresses, deleted photos, and users' locations. Grindr has since updated its app to address the problem.

Jack'd has not responded to requests for further comment about the breach or user security.

Related | Scruff Now Bans Jockstraps in Profile Photos