A security flaw in gay dating app Jack’d has left private intimate photos publicly exposed on the internet.
Anyone with a web browser who knows where to look can access millions of private photos, even if they do not have a Jack’d account.
Researcher Oliver Hough told BBC News he had reported the flaw to Jack’d a year ago but it has still not been fixed.
The company has not responded to a request for comment.
News site The Register first reported the flaw on 5 February, even though it had not been fixed, in order to warn the app’s users.
Jack’d has been downloaded more than five million times on the Google Play app store.
It lets members add “private” photos to their profile, which should be visible to only specific people they have chosen to share them with.
However, Mr Hough found that all the photos shared in the app were uploaded to the same open web server, leaving them exposed.
And BBC News has seen evidence that private photos are still publicly available on the web server.
According to news website Ars Technica, the app also leaked “location data and other metadata about users”.
Earlier this week, the company’s chief executive, Mark Girolamo, told Ars Technica a fix would be deployed on Thursday
However, Jack’d has not yet issued a statement addressing the flaw and it remains unfixed.
“They acknowledged my report but then just went silent and did nothing,” Mr Hough told BBC News.
“A journalist contacted them in November and they did the same.”