iPhone wingman app leaks 160K chat screenshots
The publicly accessible bucket contained data from the iOS app FlirtAI - Get Rizz & Dates. It mainly included private chats that users wanted the AI wingman to help them reply to.
-
FlirtAI wingman app leaked 160K chat screenshots through unprotected cloud storage.
-
Teenagers frequently used the app, making the breach more concerning for minors.
-
Some individuals were likely unaware their conversations were screenshot and sent to third parties.
Sending private screenshots to an AI-based “wingman” app is probably not the best idea. Who would have thought? Unfortunately, users of FlirtAI - Get Rizz & Dates will have to find out the hard way.
The Cybernews research team recently discovered an unprotected Google Cloud Storage Bucket owned by Buddy Network GmbH, an iOS app developer.
The exposed data was attributed to one of the company’s projects, FlirtAI - Get Rizz & Dates, an app that intends to analyze screenshots that users provide, promising to suggest appropriate replies.
Meanwhile, the app makers leaked over 160K screenshots from messaging apps and dating profiles, belonging to individuals that users of the AI wingman wanted assistance with.
What makes it worse is that, according to the team, leaked data indicates that FlirtAI - Get Rizz & Dates was often used by teenagers, who fed the AI screenshots of their conversations with their peers.
“Due to the nature of the app, people most affected by the leak may be unaware that screenshots of their conversations even exist, let alone that they could be leaked on the internet,” the team said.
After the team noted the company and the relevant Computer Emergency Response Team (CERT), Buddy Network GmbH closed the exposed bucket. We have reached out to the company for a comment and will update the article once we receive a reply.
What data did the iOS wingman app expose?
The exposed bucket mostly contained chat and dating profile screenshots. That’s because FlirtAI - Get Rizz & Dates asks users to do just that.
“Snap a screenshot of your match's profile or chat, switch to FlirtAI, and let the AI work its magic,” reads the app’s description on Apple’s App Store. The “magic” being the five tailored responses the app provided users with.
Apart from initials included in the dating profile screenshots, details included in conversation screenshots are private, as most of the individuals on the other end of the conversation likely had no idea their data would be uploaded to a third party.
“Because of how chat apps’ interfaces are designed, screenshots only contain the identifying information of the people you are talking to, meaning they are easier to track than those using the leaking app. Moreover, they are likely unaware that screenshots of their conversations even exist,”
the team said.
“Because of how chat apps’ interfaces are designed, screenshots only contain the identifying information of the people you are talking to, meaning they are easier to track than those using the leaking app. Moreover, they are likely unaware that screenshots of their conversations even exist, let alone were sent to an AI app and subsequently leaked to the open internet,” the team said.
The app’s makers seem to be aware that its modus operandi operates in somewhat gray areas of privacy, as it notes that “You are only allowed to upload a screenshot when you have obtained the necessary approvals from all users/humans and their information mentioned in the screenshot.”
A completely unrealistic way of behaving for the app’s target audience.
Teenagers face elevated risks
Nevertheless, individuals whose screenshots were leaked could also experience distress. According to the team, FlirtAI - Get Rizz & Dates caters to individuals who could be dealing with self-esteem or self-confidence issues. Having their attempts to spruce up their chat game leaked could affect their mental health.
“The fact that teenagers used this app may increase the severity of a potential data breach as data from minors is considered more sensitive, and could be subject to more restrictions regarding potential data uses and collection and processing practices,“ the team added.
The app’s profile on the App Store indicates it has a 17+ age rating over “profanity or crude humor“ and “mature/suggestive themes.”
Buddy Network GmbH is registered in Berlin, Germany, which means that the strict European privacy laws ought to apply to the company. Moreover, the company also has two more apps listed under its name on the App Store.
One is “Angel - Talk to me at any time,” which provides tailored responses from a, you guessed it, angel-looking “partner” called Angel. Another of the company’s apps is “90 Seconds - Your AI Journal,” where an AI agent helps to curate personal journaling experiences.
Many iOS apps leak data
FlirtAI - Get Rizz & Dates is far from the only iPhone app to expose data. The Cybernews research team has discovered numerous apps with devastating security issues. For example, a number of BDSM, LGBTQ+, and sugar dating apps have been found exposing users' private images, with some of them even leaking photos shared in private messages.
In other cases, our researchers discovered that apps meant to track family members, secretly store sensitive data, or help with private communications were leaking huge amounts of sensitive data.
Another recent exposure was uncovered during a large-scale investigation. Cybernews researchers downloaded 156,000 iOS apps, around 8% of all apps on the Apple Store, discovering that developers leave plaintext credentials in the application code accessible to anyone.
The findings revealed that 71% of the apps analyzed leak at least one secret, with an average app's code exposing 5.2 secrets.
- Leak discovered: May 6th, 2025
- Initial disclosure: May 19th, 2025
- CERT contacted: June 2nd, 2025
- Leak closed: June 16th, 2025
