Jack’d knew about security flaw for at least a year, exposing private pics, vids, and user locations

The bad news just keeps coming for Jack’d users…

Earlier this week, The Register reported that, due to a major security flaw, x-rated pics and videos privately shared between users on the popular hookup app have been publicly available to view online for the past three months.

The security breach was first discovered by Oliver Hough, who now says he actually reported it to Jack’d a year ago, not three months ago, as originally reported.

That’s right, folks. All your most scandalous pics and videos have been publicly accessible for at least a year. Maybe longer. That’s just when Hough discovered the flaw and alerted developers, who did nothing to remedy the situation.

Hough tells Out that he first discovered the bug while investigating several different dating apps to see how they work. Specifically, he wanted to know how information was shared between the app and the servers where data was stored.

It didn’t take long for him to notice that the way Jack’d stored their photos, both public and private, allowed for anyone, regardless of whether they had a Jack’d profile, to access them.

Hough emailed the company about the flaw in February 2018. He received a response saying they’d “look into it.” He kept an eye on the flaw and says nothing was ever fixed. When he reached out to Jack’d again, they stopped responding.

It wasn’t until after The Register published its story this week that Mark Girolamo, CEO of Jack’d parent firm Online Buddies, issued a short statement, saying: “Our tech team is aware of the photo vulnerability and has already programmed the changes for this fix. They will deploy the fix tomorrow, February 7.”

But Hough says Jack’d waited way too long to address the problem, allowing for millions of private photos and videos to be accessed without users’ knowledge or consent.

“I don’t feel they were quick enough to respond and I believe they only rushed to get it fixed after they knew the story was going to be published,” he tells Out. “I’m glad they have rolled out a fix, though it took too long to get here.”

But it gets worse.

According to Ars Technica, the problem extended beyond just leaking people’s private pics and videos.

The app also exposed their locations and other information that could potentially expose a person’s identity. This is particularly concerning for users who live in places where homosexuality is illegal.

Both Hough and Ars Technica have confirmed that the flaw appears to be corrected; however, Hough says he plans to continue testing to ensure there are no other ways around the fix.

In the meantime, we’ll definitely be staying off Jack’d for a while.

Related: Jack’d users just got jacked! All your private pics and videos are available to view online

h/t: Queerty