LGBTQ+ and BDSM dating apps leak private photos

BDSM, LGBTQ+, and sugar dating apps have been found exposing users' private images, with some of them even leaking photos shared in private messages.

Apple’s iOS apps catering to the sugar dating, BDSM, and LGBTQ+ communities – where privacy is often paramount – have leaked highly sensitive content, putting users at risk.

Cybernews researchers have found that BDSM People, CHICA, TRANSLOVE, PINK, and BRISH apps had publicly accessible secrets published together with the apps’ code. So-called “secrets” are sensitive information such as API keys, passwords, or encryption keys.

Exposing them is dangerous, as credentials placed in client applications are accessible to anyone, and threat actors can easily abuse them to gain access to systems. In this case, the most dangerous of leaked secrets granted access to user photos located in Google Cloud Storage buckets, which had no passwords set up.

In total, nearly 1.5 million user-uploaded images, including profile photos, public posts, profile verification images, photos removed for rule violations, and private photos sent through direct messages, were left publicly accessible to anyone.

Privacy nightmare

The thought of such images being exposed is a nightmare for many, sparking fears of damage to their privacy and dignity. Given the nature of the apps, the photos shared with other users are often highly sensitive and explicit.

Malicious actors often exploit highly sensitive leaked content for extortion, social engineering, and attempts to damage a person’s professional reputation. Moreover, impacted individuals could be put at elevated risk of harassment. With homosexuality being illegal in some countries, the leak could put app users at high risk of persecution.

Don’t miss our latest stories on Google News

Although the leaky storage buckets do not explicitly contain data on user identities such as usernames, emails, or messages, malicious actors could still uncover the individuals behind the photos using OSINT techniques like reverse image searching.

The nature of the iOS dating apps’ leak enables attackers to craft extremely convincing attacks. For example, threat actors can deploy scrapers or monitoring scripts to access new data in real-time, allowing them to execute extortion and social engineering attacks with extreme precision.

What secrets were leaked?

API Key
Client ID
Google App ID
Project ID
Reversed Client ID
Storage Bucket
GAD Application Identifier
Database URL

All of the affected apps are developed by M.A.D Mobile Apps Developers Limited. Their identical architecture explains why the same type of sensitive data was exposed. As Cybernews discussed before, leaked secrets are among the top 10 most leaked secrets among iOS apps.

Additionally, the apps are exclusive to iOS and do not have Android or web alternatives.

Cybernews uncovered the leak after a large-scale investigation. Our researchers downloaded 156,000 iOS apps, around 8% of all apps on the Apple Store. They discovered that app developers are leaving plaintext credentials in the application code accessible to anyone.

The findings revealed staggering numbers: 71% of the analyzed apps leak at least one secret, with an average app's code exposing 5.2 secrets.

Fetish dating app leaks photos from private messages

iOS dating apps leak — Photo sent via a private chat on the BDSM people app

The app named “BDSM People – Kinky Fetish Dating” promises to be a safe, secure, and discreet way to meet like-minded people for dating purposes. However, due to the exposed secrets, the app is neither secure nor discreet.

The secret left in the code allowed access to a storage bucket with 1.6 million files and over 128GB of data. Among the files, there were around 541,000 images users sent to each other or uploaded to the app.

What was exposed:

18,000 photos removed by moderators
270,000 user profile photos
70,000 photos from public posts
90,000 photos from user chats
65,000 blurred photos
28,000 profile verification photos

The app was downloaded over 200,000 times, indicating a broad user base potentially affected by the leak.

The hidden risks for sugar daddy seekers

“CHICA – Luxury Dating Club,” an app downloaded over 80,000 times, specializes in sugar dating. Like the other apps affected, it had access to the storage bucket hard-coded in its code.

The leaky bucket contained almost 45GB of data, including 133,000 images of app users, some of which were shared privately in direct messages.

What was exposed:

2,200 Images sent via chats
11,000 photos uploaded as posts
4,700 images removed by the moderators
94,000 profile photos
23,000 photos uploaded for profile verification

LGBTQ+ community affected by the leak

The LGBTQ+ community was also impacted by the data leak, with three apps widely used within the community exposing sensitive user photos.

Updated on April 3rd with the company's statement.

The company's response

Cybernews immediately contacted M.A.D Mobile Apps Developers Limited regarding the leak. The company responded after the article was published, reiterating the exposed instance is no longer exposed.

“Even though no real data leak occurred, this does not absolve us of responsibility. On the contrary, it has motivated us to strengthen our security measures further,” said the company’s spokesperson.

“We apologize to our users for any concern caused by the article and hope other developers will take this issue seriously.”