Therefore I reverse engineered two dating apps

Therefore I reverse engineered two dating apps

Video and picture drip through misconfigured S3 buckets

Typically for photos or any other asserts, some form of Access Control List (ACL) is set up. A common way of implementing ACL would be for assets such as profile pictures

The main element would act as a “password” to gain access to the file, additionally the password would simply be provided users who require use of the image. When it comes to an app that is dating it’s going to be whoever the profile is presented to.

I’ve identified several misconfigured S3 buckets on The League through the research.