Popsugar’s Twinning App Found Leaking Selfies Uploaded by Users

Popsugar’s popular photo-matching app ‘Twinning’ has been found to be leaking photos uploaded by users. According to TechCrunch, the hundreds of thousands of selfies uploaded to the app were easily downloadable by anyone by accessing a storage bucket hosted on Amazon Web Services.


For those who aren’t familiar with the app, it simply analyzes your selfie or uploaded photo, compares it to a huge database of celebrity photos to find the closest matches, and finally gives you a ‘twinning percentage’ for your top five look-alikes. Users can then flaunt those matched photos on Facebook, Twitter, and other social media.

Apparently the app stores all uploaded photos in a storage bucket, the address for which can be found in the code on the Twinning tool’s website. Anyone who opened that in a web browser could see a real-time stream of uploaded photos.

“We verified the findings by uploading a dummy photo of a certain file size at a specific time. Then, we scraped a list of filenames uploaded during that time period from the bucket’s web address, downloaded them and found our uploaded image by searching for that photo of a certain file size.

TechCrunch did not hear back from Popsugar prior to publication, but the bucket was locked down shortly after.

Popsugar’s VP of engineering Mike Patnode, however, did confirm soon after that “the bucket permissions weren’t set up correctly.”