AnotherFriend.com keeps all private and delete photos public

Mr. Duckford · 30-05-2015 12:04am #1

Hello,

First off, sorry if this is the wrong forum (again?), wasn't sure which one too choose from. I assume since my first post was removed from the "After Hours forum", it was the wrong choice? If there is something wrong with this post, please let me know rather than deleting it without me knowing why.

I'm a web developer and back in 2012 I signed up on the dating website anotherfriend.com.
Back then I noticed the absolutely poor security quality of the website. The company stores all photos by naming the photos using consecutive numbers, so that all photos are publicly accessible. Even photos that users specified to be "private" are publicly available. On top of that, photos that users "delete" from their dating profile, are not being deleted from the server. Same applies to photos from deleted or deactivated accounts. Once uploaded, all photos are permanently kept (unless it violates their T&Cs).

They have roughly a half a million photos on their server, many of them suppose to be deleted or private, but nope, all accessible by the public.

This is unacceptable on every level. I reported this issue to the anotherfriend.com back in August/September 2012. Support replied by saying they will forward this issue to their developer.
Now almost 3 years later and nothing has changed.

I find this totally unacceptable, especially because this is not a bug in their system, but very poorly designed system. Image names are suppose to be what is called "hashed", so people cannot guess the file name. They claim to be Irelands biggest dating website, but have a system in place that a 16 year old web developer could design better. Seriously, this company seems to have absolutely respect towards user privacy.
[link removed]

How can one report this when the company itself does not take this serious and just ignores it?

Sheldons Brain · 30-05-2015 12:10am

Mr. Duckford wrote: »

Hello,

First off, sorry if this is the wrong forum (again?), wasn't sure which one too choose from. I assume since my first post was removed from the "After Hours forum", it was the wrong choice? If there is something wrong with this post, please let me know rather than deleting it without me knowing why.

I'm a web developer and back in 2012 I signed up on the dating website anotherfriend.com.
Back then I noticed the absolutely poor security quality of the website. The company stores all photos by naming the photos using consecutive numbers, so that all photos are publicly accessible. Even photos that users specified to be "private" are publicly available. On top of that, photos that users "delete" from their dating profile, are not being deleted from the server. Same applies to photos from deleted or deactivated accounts. Once uploaded, all photos are permanently kept (unless it violates their T&Cs).

They have roughly a half a million photos on their server, many of them suppose to be deleted or private, but nope, all accessible by the public.

This is unacceptable on every level. I reported this issue to the anotherfriend.com back in August/September 2012. Support replied by saying they will forward this issue to their developer.
Now almost 3 years later and nothing has changed.

I find this totally unacceptable, especially because this is not a bug in their system, but very poorly designed system. Image names are suppose to be what is called "hashed", so people cannot guess the file name. They claim to be Irelands biggest dating website, but have a system in place that a 16 year old web developer could design better. Seriously, this company seems to have absolutely respect towards user privacy.

Here is a script I quickly wrote in a few minutes, demonstrating this massive privacy issue.
[link removed]

How can one report this when the company itself does not take this serious and just ignores it?

Talk to the Data Protection Commissioner.
https://www.dataprotection.ie

the 2012 report claims an "inspection" of Anotherfriend.com.

Mr. Duckford · 30-05-2015 12:17am

Sheldons Brain wrote: »

Talk to the Data Protection Commissioner.

the 2012 report claims an "inspection" of Anotherfriend.com.

Thanks, just sent them an email.

Sheldons Brain · 30-05-2015 12:32am

Good luck!

Gordon · 30-05-2015 8:13am

Mr. Duckford wrote: »

Seriously, this company seems to have absolutely respect towards user privacy.

I presume you mean 'no' respect towards user privacy?

If so, I find it surprising that you've publicly posted all of these private photos by posting a link to your script.

Please don't do that again.

Mr. Duckford · 30-05-2015 12:04pm

Gordon wrote: »

I presume you mean 'no' respect towards user privacy?

If so, I find it surprising that you've publicly posted all of these private photos by posting a link to your script.

Please don't do that again.

Don't worry,I have posted it on dozens of forums around the web, even on reddit. This company deserves no other way.
The usual limit of security leaks is 90 days notice. They had almost 3 years, for that reason I made it public. The outcry on other forums is as expected, boards.ie seems to prefer to delete the issue rather than face it.

I have no other choice than making it public.

By the way I have also noticed that company stores their passwords in plain text, instead of being hashed.

Gordon · 30-05-2015 12:39pm

If you've registered on boards to spam that link, then I'll remove your access. If you've come here to discuss the legal issues, then you've been given good advice above re data protection commissioner.

Mr. Duckford · 30-05-2015 12:47pm

Yeah my question was where I can report this and I have reported the issue to dataprotection.ie and thanked for the help.
I have no other enquirers.
This is a normal way of dealing with privacy and security leaks. You are given 90 days, after that, it's made public.

jawn · 01-06-2015 7:51am

I had a quick read of their terms and conditions, and privacy statement to which all users must agree while signing up.

Paragraph 10 of their Ts & Cs provides that:

Other than [sensitive personal data], which is covered under the Privacy Statement, any material that you transmit or post to this website... will be non confidential... The company will have no obligations with respect to such material...

Paragraph 7 of their Privacy Statement provides that:

Information we collect from you... during your membership of the Site is used... to provide you with the anotherfriend.com dating service. By submitting this information you are expressly agreeing to us processing that information in accordance with this Privacy Statement. Please remember that due to the nature of the membership of the Site, any information that is disclosed to anotherfriend.com can become public information...

...all information which you submit for inclusion on your profile will be publicly available on the Site. Anotherfriend.com will not disclose any personal data of a sensitive nature without your express consent, except in so far as you have included it on your "Profile"...

Personal data includes Photographs of yourself which you may post to the website. Please take care to either post to the public or private gallery...

This outlines the terms of your arrangement with respect to information provided and their obligations to you regarding that information, which includes photos. It appears to me that given that your pictures are, in all fairness, not publicly accessible by a layperson through their site, and require at least a rudimentary knowledge of how websites work (by virtue of one having to deduce the URL of photographs and manually type it into the address bar), they haven't undermined the public/private choice made available to you.

The Data Protection Acts are concerned with the unauthorised processing of information provided to "data processors", in this case, the website. Section 2(1)(c) of the Data Protection Act (as amended) provides that:

The data shall have been obtained for [a] specified, explicit and legitimate purpose, [and] shall not be further processed in a manner incompatible with that purpose...

The photos are stored online to allow you display them on your profile. Let's say you had three photos with consecutive URLs: photo1.jpg, photo2.jpg and photo3.jpg. They are hosted online to be viewed by other members. If someone views photo1.jpg and wonders if there is a photo2.jpg (which is not displayed) and deduces this URL, this photo has not been "further processed in a manner incompatible with [the initial] purpose". Further one can only deduce the URLs of pictures you don't want to be accessed by having reference to ones that you do. I'm unsure if by consecutive, you mean in terms of your account or the website as a whole. Like, for example, if the photo you want to be visible is anotherfriend.com/username/photo1.jpg and the one you have deleted but is still on the server is anotherfriend.com/username/photo2.jpg, then perhaps deleting that account and starting a new one with a different username renders accessing photo2 virtually impossible even though it may still be live at the URL, since would-be viewers would have no URL reference to deduce where the photo would be located.

Just my opinion, but by all means, contact the Data Protection Commissioner and get their views as they would know the more nuanced elements of this situation.

Mr. Duckford · 01-06-2015 10:36am

The photo url does not even include the username, it's simply
anotherfriend.com/13.jpg
anotherfriend.com/848000.jpg

Also when you login and click delete photo, it's not deleted from their server, just "unlinked" from your profile. Same for when you deactivated or ask them to delete the account, the photos are never deleted.

There is an option inside of the dating website, where it allows you the upload "private photos", which clearly outlines that only people who you give access to can view them. Seeing that many people post sexual oriented photos using the "private" option, I am pretty sure they would be outraged knowing that anyone can access those photos.

Their T&Cs do not comply with EU regulations about data protection. It's actually quite simple, if you want to have your information (text and photos) removed from their services, they MUST be removed.
Same goes for their "private" photo feature. You can't tell people they are "private" and then have a one liner in your T&Cs which contradicts that statement.

Anyway, I am sure the company behind anotherfriend.com has no bad intentions. It's simply their system that is utterly outdated. As a web developer, I can tell you, a system like this was already outdated in 2002, now it's 2015 and they still use such poor system.

If something like this would have happened to Facebook or Google where photos are stored with consecutive numbers or use plain text to store passwords, the entire EU commission would have an emergency meeting overnight.

Mr. Duckford · 01-06-2015 10:40am

Great, I wanted to edit my post to edit the photos urls (to not use the real links, not that it's a secret, since anyone can get the url by going the dating websites front page)
Ever since I signed up on boards.ie I always get a blank page when I click the edit button.

Gordon · 01-06-2015 9:17pm

I'd be surprised if the Data Commissioners don't have a problem with that, it's highly conflicting.

Mr.D, I've edited your previous post, if that's what you meant.

AnotherFriend.com keeps all private and delete photos public

Comments