back to article Hi, Jack'd: A little PSA for anyone using this dating-hook-up app... Anyone can slurp your private, public snaps

Dating-slash-hook-up app Jack'd is exposing to the public internet intimate snaps privately swapped between its users, allowing miscreants to download countless X-rated selfies without permission. The phone application, installed more than 110,000 times on Android devices and also available for iOS, lets primarily gay and bi …

  1. herman Silver badge

    Eeewww...

    This sounds like the new goatse.

  2. cookieMonster
    Facepalm

    But

    But the good professor (Professor Gus Uht, engineering professor-in-residence at the University of Rhode Island, USA) just said we're not to tell anyone, because... Security, or something....

    1. phuzz Silver badge

      Re: But

      The prof unaccountably failed to say what a security researcher should do when the company they report the problem to does absolutely nothing.

      I'd say that reporting (and demonstrating) it to the press, whilst not making any of the technical details public is a pretty responsible way of handling it. Perhaps Jack'd can be publicly shamed into fixing the problem even if they're not willing to fix it privately?

      On the other hand, imagine how many more dates they'll be for people who fancy computer security experts, now that they'll all be making accounts to try and discover the flaw for themselves.

  3. Pascal Monett Silver badge

    "Online Buddies did not respond to repeated requests for an explanation"

    That's because they're trying to find an alternative to "we never thought that anyone would try that".

    So let me see if I get how this app works :

    1) you make the mistake of installing it

    2) you peruse the profiles and find someone of interest to you

    3) at some point, you take a pic and send it to him

    4) somehow, the online database of images records your pic, but has zero security on it

    5) somehow, the manager of the company saw no problem with that issue at development time

    6) somehow, the developer of the database found absolutely no way to link profiles to an image and prevent anyone else from seeing it, and couldn't be arsed enough to pull the fire alarm on this

    I get that this app is being used by the alternately sexed and I believe that there may be one hell of a market for that. After all, it seems pretty obvious that those apps will have guys on them, since the Ashley Madison kerfluffle demonstrated that it was mostly guys on sites where women were supposed to be present and searching.

    It does seem that this app is nothing but a cash grab to try and benefit from this market, which is disgusting because it's not like homosexuals don't have other important daily problems to worry about.

    1. Mark 85 Silver badge

      Re: "Online Buddies did not respond to repeated requests for an explanation"

      6) somehow, the developer of the database found absolutely no way to link profiles to an image and prevent anyone else from seeing it, and couldn't be arsed enough to pull the fire alarm on this

      It might have specced out that way, or more likely, the developer(s) were basically monkeys and paid peanuts.

    2. AdamWill

      Re: "Online Buddies did not respond to repeated requests for an explanation"

      I'm a bit confused as to why you seem to think a hookup app for gay people is some sort of late-market cash-in. Do you not know that these apps considerably pre-date all the ones that *aren't* aimed specifically at gay people? grindr and jackd have been around for years, tinder is the johnny-come-lately (comparatively). They're no *more* cash grabs than any such app is a cash grab, though the ownership of lots of them seems pretty sketchy lately (so, about in line with all the 'hi' profiles, har.)

  4. brotherelf

    Yeah, about par for the course…

    My money's on "Nobody will be able to guess this random six-letter filename, so we don't need access control or authorization".

    1. MJB7

      Re: Yeah, about par for the course…

      Actually, if it was a random 30-character (or so) filename, that wouldn't be completely unreasonable. (31 characters being enough to encode a base-36 encoded version of a SHA1 hash - obviously SHA256 would be better, but SHA1 is probably "good enough". Alternatively, it could be 20 bytes from /dev/urandom.)

  5. chivo243 Silver badge
    Holmes

    Programmers

    I get the feeling that some apps get outsourced, the actual coders only see the project when they are active on it... once it's out the door, it's on to the next contract?

    1. Snake
      IT Angle

      Re: Outsourced programmers

      Oh yeah, that hits the nail on the head. Went though that myself after my company bought the development of its (small) website; the web "developer" in reality outsources the actual development to Poland.

      As usual, this tech project was initiated by a tech-ignorant boss, who thinks he is otherwise, without asking me or telling me anything until it was completed, and the result dropped into my lap.

      The Polish coders developed said website, uploaded it to the required location but failed to change anything as required from the stock installation of the CMS as per correct security practices.

      So, of course, said web site was therefore hacked to download malware to our kind visitors.

      Because doing small things like security would have been an 'extra-cost upgrade', supposedly.

      ...

      The developed web site had bugs, improperly implemented security, lousy layout choices, inadequate good descriptions and truncated index listings, etc etc etc. Fixed, of course, after I got a handle on PHP, debugged the pages (I haven't programmed in years), updated the CMS, moved it once to a new location (which was a poor choice, the (major, big box) hosting service sucks), etc etc etc.

      Does anything ever change??

  6. Alistair Silver badge
    Windows

    Phone app development nutshell.

    Dudes, yer cramping the ad income style here......

    *cough*

  7. mptBrain

    Can you report these security flaws directly to Google and Apple? If both stores removed Jack'd then the company would probably get to fixing the problem rather quickly, since they wouldn't want to lose income!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019