An online underground sex club's website was reportedly found having a major security issue. The website of Skirt Club, which advertises itself as an underground online community for "girls who play with girls", reportedly exposed thousands of photos of its members to the public.
The site claims to cater to "bi-curious or bisexual" women and has been around since 2014. The club reportedly has over 5,000 members, most of whom are not open about their orientation. The site requires prospective members to provide a full-body picture, complete an online application and be reviewed by an in-house committee.
According to a report by Vice Germany, members' photos, featuring them partially or fully nude and some with names mentioned, were left without any password protection and left accessible to non-members. It took Skirt Club around three weeks to patch the security issue, during which time the data was likely left exposed. The site was briefly down but at the time or writing is back up.
"On a scale from 1-10 in regards to negligence, this is an 11," said Stephan Urbach, a tech expert and online privacy activist, who analysed the security flaw.
Skirt Club used WordPress and the Buddypress plug-in for their site. However, it was uncovered that a file that regulates access rights to photos was configured incorrectly. This allowed even non-members to access images by typing in the browser the regular website address and names of WordPress subfolders. The site's servers held images of every applicant, even those rejected, none of which could be taken down by users, once uploaded.
Fortunately, the security issue did not expose the site's users' credit card information or their names. Skirt Club's founder, who goes by the pseudonym Genevieve LeJeune, said: "Unfortunately, as any new organisation, we are forced to do too much with very little and without the expertise of larger organisations."
LeJeune added: "As our membership began to accelerate, we took the decision to replace our website. The new site will launch in just a few weeks' time and it comes with increased security measures. As part of this launch we are deploying professional support to keep our website current and to protect it from new vulnerabilities as they are uncovered."
Data breaches and leaks such as those sustained by Ashley Madison and Adult Friend Finder highlight the significance of adopting strong security measures when handling sensitive and private user information.
IBTimes UK has reached out to Skirt Club for further clarity on the matter and will update this article in the event of a response.
Skirt Club director Renée Nyx told IBTimes UK: "We can confirm that no information regarding our members was ever accessible or released into the public domain. "
She added that the Skirt Club website was briefly taken down to run "security checks". She also said that security experts have confirmed that the site was not breached, adding that Skirt Club takes their members' "privacy and the security of our website seriously".
Nyx said: "All images on our website are behind an encrypted security wall.
Our new website will launch in two weeks and the latest security features will be implemented in the new site. This includes forced SSL for all log-ins, separate site for members only with no connection to the public site, software to prohibit linking to any content from outside the site, as well as other security precautions that we will not be able to share for obvious reasons. We are excited about the new website which contains lots of new features for our members and of course meets the latest security standards to protect our members privacy. Both our current and new website meet the highest security standards."