This is what a massive online privacy violation looks like

The popular gay-oriented smartphone app “Jack’d” has a security flaw that permits anyone with an Internet connection to easily find the exact location of any Jack’d user currently online.

I just found literally thousands of gay men across Europe, Asia, the Middle East and Africa.

UPDATE: I’ve just received a statement from Jack’d:

Statement by Adam Segel, Jack’d CEO
Jack’d takes the privacy and personal security of its users very seriously. We were informed of this location security issue by a security researcher over the weekend and are currently working as quickly as possible to resolve the situation.

The news of Jack’d’s security problem comes on the heels of a similar flaw that was discovered on another popular gay smartphone app “Grindr.” When the Grindr flaw was initially revealed by an anonymous gay Grindr user in Europe, the company claimed the breach wasn’t a problem.

After a large amount of negative publicity, Grindr turned off its “location” option in countries where being gay is dangerous (Grindr had originally turned off the location function all together, but then turned it back on in many countries.) Which means Grindr users in Europe, America and beyond are still vulnerable.

The exact location of gay men currently on Grindr in Tehran, Iran, a country in which gay men are put to death.

The exact location of gay men on Grindr in Tehran, Iran, a country in which gay men are put to death.

Jack’d’s flaw is reportedly even more serious than Gindr’s.

While Grindr permitted you to find the location of some 50 gay users at a time, using triangulation, Jack’d doesn’t even require triangulation — it simply turns over the exact location of thousands of users at a time, according to the European who discovered the original Grindr problem.

With the click of a mouse, for example, I was able to find every gay Jack’d user in the entire nation of Iran (and a few surrounding countries like Kuwait, to boot). If you zoom in on any of the examples below, you can see what street they’re on, and where they are on the street. (Well, you can’t zoom in, I can via a set-up I won’t be posting online.)

Every Jack'd user online in Iran.

Every Jack’d user online in Iran.

In the past 24 hours in which the security flaw was discovered, the exact location of over 350,000 Jack’d users has been uncovered, including 1,941 users in China, 282 in Iran, 17, 250 in Indonesia, 12,239 in Eritrea, 297 in Russia, 1,499 in Saudi Arabia, 466 in Brunei, 22 in Nigeria, and 2 in Uganda.

Here’s Tehran, where gays can be put to death:

Jack'd users in Tehran, Iran.

Jack’d users in Tehran, Iran.

Here’s a lone gay in Khartoum, Sudan — a country where the law puts gays to death:

Gay Jack'd users in Khartoum, Sudan.

Gay Jack’d users in Khartoum, Sudan.

And here are Jack’d’s users in Riyadh, Saudi Arabia — always a fun place to be different:

riyadh-saudi

Jack’d users in Riyadh, Saudi Arabia.

Yemen:

sana-a-yemen

Moscow:

moscow-jackd

Gaza:

gaza

China:

china-jackd

Brunei:

brunei-jackd

Nigeria:

lagos-nigeria

Uganda:

uganda

And here’s a larger map I created, showing a sampling of the gay men in Europe, Africa and the Middle East who were online simultaneously, and whose exact location I found:

Every gay man online using the Jack'd app in Europe, Africa and the Middle East.

Every gay man online using the Jack’d app in Europe, Africa and the Middle East.

Check out this image of Western Europe alone. Each dot is a different man’s exact location, live. There are so many it blurs the screen. (You can zoom in and see exactly where they live.)

western-europe

And here’s Paris:

paris

London:

london-jackd

And Berlin:

berlin-jackd

It’s hard to imagine, with Europe’s strict privacy laws, that any of this is legal over there.

Suffice it to say, our initial concerns, about this problem stretching across other smartphone apps that check your location, have turned out to be well founded.


Follow me on Twitter: @aravosis | @americablog | @americabloggay | Facebook | Instagram | Google+ | LinkedIn. John Aravosis is the Executive Editor of AMERICAblog, which he founded in 2004. He has a joint law degree (JD) and masters in Foreign Service from Georgetown; and has worked in the US Senate, World Bank, Children's Defense Fund, the United Nations Development Programme, and as a stringer for the Economist. He is a frequent TV pundit, having appeared on the O'Reilly Factor, Hardball, World News Tonight, Nightline, AM Joy & Reliable Sources, among others. John lives in Washington, DC. .

Share This Post

26 Responses to “This is what a massive online privacy violation looks like”

  1. EasterBEspino says:

    My Uncle Benjamin got a stunning green Porsche Cayenne Diesel only from working off a macbook… see this googleprojectpay.com

  2. ToyotaBedZRock says:

    Hornet seems to be popular in my area.

  3. ToyotaBedZRock says:

    There are gay apps that target middle eastern and Asian regions

  4. Drew2u says:

    Hey John, what do you think of the CEO of SCRUFF’s article on HuffPo?

    http://www.huffingtonpost.com/eric-silverberg/security-location-and-the_b_5793216.html

    “In addition, we’ve struck an innovative partnership with ILGA, a non-profit that publishes an annual report of gay and lesbian rights worldwide. Coming soon, when a user travels to a country included in the ILGA report and launches SCRUFF, he will see an alert informing him of the presence of local laws criminalizing homosexual activity. By increasing awareness about these laws, we hope to keep our members vigilant and raise the global pressure for reform.”

  5. Drew2u says:

    *Makes an account*

  6. BlueIdaho says:

    What about Adam4Adam? I know a lot of mormons use it here in Boise. :)

  7. Rambie says:

    Hmm, I don’t know. Jack’d responded within a day of John’s article so I think it’s good and much better than the “Working as intended” he got from Grindr.

    Did Jack’d look for a vulnerability when grindr’s surfaced? I don’t know. Should they have? Yes. Assuming they did look, it doesn’t seem the same as Grindr’s so I’m not sure they’d have found it. Any developer should continue to hunt for bugs in their service as well as add features and improve their service/app.

    I’m interested in the underlying vulnerability, seems it may not be the apps but a underlying app-platform that has a bug being utilized.

  8. MileHighJoe says:

    Maybe I’m just cranky today, but I’d have to say the opposite: In light of the Grindr problem being exposed a while ago, I’m shocked it took Jack’d so long to discover their own location vulnerability.

    Willful ignorance?

  9. Rambie says:

    I had never heard of Jack’d either until this article but, good to see them respond so quickly instead of denying there is an issue. Hopefully they can quickly secure their system without breaking functionality.

  10. Hue-Man says:

    That’s getting very close to “blame the victim”. How many facts have been made public about U.S. government spying on Americans that were a surprise to you? How about this one?

    “FBI can spy on you through your webcam without triggering the indicator light… and has had the technology for several years” http://www.dailymail.co.uk/news/article-2520707/FBI-spy-webcam-triggering-indicator-light.html CHEESE!

    These companies have a higher responsibility to their users because their downside risk is death or imprisonment and because it’s not ordinary hackers or nosy neighbors who will try to find their location. Imagine the resources that the Kingdom of Saudi Arabia could bring to bear to identify sinners!

  11. Yes, I’m the one with questionable ethics in this story. Let’s see how quickly Jack’d fixes the problem, then we’ll talk :)

  12. GarySFBCN says:

    Yes, because in the history of the world, nothing has ever changed because of something being ‘reported.’ Never.

    Your concern duly noted.

  13. goulo says:

    It’s clear that a lot of people would agree with you about stripping naked in the middle of a shopping mall, yet they are very naive and uninformed/uneducated when it comes to computer technology and privacy issues, and they don’t grok the possible implications of an app like this. It’s easy for us to blame them for their own ignorance, but we probably have analogous blind spots of our own.

  14. BeccaM says:

    What makes you think “the reporter” — by the way, his name is John Aravosis, it’s right there on the by-line — hasn’t been doing this?

    And as he’s indicated in his numerous posts on this topic, John has learned that the first reaction of every frickin’ one of these companies has been to deny there’s any problem whatsoever with their service. Grindr came right out and insisted there was nothing wrong with what they were doing and their service was operating exactly as intended.

    How about instead of blaming the messenger — the journalist in this case — the blame be put where it belongs: On the company that cavalierly markets a product that is technically illegal in some countries, yet does not warn its users about the dangers of broadcasting their locations.

  15. Naja pallida says:

    Any serious computer security expert in the world should scoff at the concept of security through obscurity. Making security vulnerabilities public knowledge is the only way to keep users adequately informed, when the app developers and companies that offer these apps have not. Especially in a case where it could literally be life or death, and the company has already stated that it doesn’t consider putting their users at risk to be a problem. How many people do you suppose need to be hurt before users should be allowed to become informed? By making the vulnerabilities public it gives the user the option to be proactive and protect themselves, and not have to wait for a reluctant company, that is only going to act if their bottom line is impacted.

  16. Naja pallida says:

    Well, they certainly aren’t taking in depth profiles and questionnaires to make up nonsense about compatibility, like some other dating sites.

  17. Joel says:

    Ethically I question the merits of the reporter.

    Yes he states this a flaw that needs to be addressed, as those in countries who are intolerant of homosexuality are at risk. But he has himself has highlighted to everyone with access to the internet/twitter that there are ways in which they can find and harm these people.

    I wonder if a more responsible avenue would have been to contact the company prior to publishing this story. Allowing them ample times to make adjustments to their security to ensure the safety of their users.

  18. Drew2u says:

    18 miles as the crow flies to find another guy around me, or 9 if it’s somebody at the local truck stop (which, apparently guys still do that).

  19. BeccaM says:

    Given the apparent ubiquity of these services, and the fact it takes a conscious act to download them because one wants to advertise both one’s position and sexual orientation, as well as potential hook-up interests — on top of which it’s beyond reasonable to think all these Grindr and Jack’d users DON’T know it’s illegal to be gay in the places where they reside… And it takes an improbably huge blind spot and/or denial not to imagine the authorities and violent anti-gay bigots won’t ever use these services to find targets…

    We’re talking reckless disregard for personal safety.

    Let’s just say my urge to protect people from their own foolishness and my sympathy levels are dropping fast. Although this still doesn’t take away from the irresponsibility of these companies offering services like this

  20. Houndentenor says:

    In some of those countries it IS unlawful to be gay hence the problem.

  21. nicho says:

    I always thought the whole purpose of these hookup sites was to let people know you were interested in having sex and letting them know where you are.

  22. nicho says:

    Gay is not a “taste”

  23. Mike_in_the_Tundra says:

    The device is a cell phone.

  24. Third_stone says:

    The terrorists are coming after everybody. If gay was my taste, I would immediately throw the device away. It would be a terribly dangerous thing to carry anywhere. Even where it is not unlawful to be gay, there are plenty of haters who would make sport of terrorizing those who carried these devices.

  25. Hatfield says:

    Looking online, there’s basically noting about Jack’d (which I never heard of before this but what do I know? I live in Hell’s Kitchen so locating gay people is a matter of walking down the hall). This is awful. I’ve looked at Techdirt but it mentions nothing either. I sent the a link to your previous story but they didn’t publish it.

  26. Indigo says:

    Since I’m not smart enough to operate a smart phone, I’m out of the woods.

© 2020 AMERICAblog Media, LLC. All rights reserved. · Entries RSS