A security flaw in gay dating app Jack'd has left private intimate photos publicly exposed on the Internet.
Anyone with a Web browser who knows where to look can access millions of private photos, even if they do not have a Jack'd account, reports the BBC.
Researcher Oliver Hough told BBC News he had reported the flaw to Jack'd a year ago, but it has still not been fixed.
The company has not responded to a request for comment.
News site The Register first reported the flaw on February 5, even though it had not been fixed, in order to warn the app's users.
Jack'd has been downloaded more than five million times on the Google Play app store.
It lets members add "private" photos to their profile that should be visible to only specific people they have chosen to share them with.
However, Hough found that all the photos shared in the app were uploaded to the same open Web server, leaving them exposed.
And BBC News has seen evidence that private photos are still publicly available on the web server.
According to news website Ars Technica, the app also leaked "location data and other metadata about users."
Earlier this week, the company's chief executive, Mark Girolamo, told Ars Technica a fix would be deployed on Thursday.
However, Jack'd has not yet issued a statement confirming that the loophole has been fixed.