Illustration by Carly Jean Andrews
This article originally appeared on VICE Germany
Update, January 27th, 16:58 : Around 1PM today, the Skirt Club site went offline. That means it now impossible for criminals to use any remaining security gaps for their benefit.
It's a Saturday night in December 2016; about 50 women in gold and white dresses are milling about in an ornate living room in the Berlin neighbourhood of Schöneberg, occasionally flashing suspenders. The adjacent rooms boast three queen size beds, each covered in gold flower petals, and giant tubs, filled with water that has been stained with pink bath salts. The women are here to take part in a 'golden angels' themed play party produced by Skirt Club. Organiser Renée Nyx kicks the night off with a brief speech: "Skirt Club", she says, "is a safe place where women can play with each other." Within the next couple of hours, the women have taken off their dresses and are headed towards the beds in groups of twos, threes, fours and fives.
Skirt Club is an online platform that has been bringing "bi-curious or bisexual" women together since 2014. The organisation claims to do so in a manner that is private and discrete, and many members aren't openly bisexual. According to Nyx, Skirt Club has over 5,000 members worldwide. In order to become a member yourself, you have to fill in an online application and provide a full-body photo. You're only allowed to join if you are deemed worthy by an in-house committee, and once you're signed up you can buy tickets for sex parties, send other users private messages or upload photos.
As stated on their website, members can meet and have sex at Skirt Club parties "away from the prying eyes of men". Meanwhile the privacy disclaimer notes: "We endeavour to take all reasonable steps to protect your data. All the data collected by us is stored on a secure server."
But in December 2016, several anonymous sources contacted editors of VICE Germany and Motherboard Germany about serious security issues with the website. After they looked into those claims, the editors found that at that time, thousands of personal images that members had uploaded in order to join Skirt Club were accessible to non-members – photos of users partially or fully naked, often recognisable, sometimes even with their names mentioned in the image. You didn't need to hack the site to see – they weren't password protected and anyone curious enough to make a bit of an effort could view and download the photos.
Maybe more worrying than the lack of security itself was the way in which Skirt Club dealt with the issue. After VICE Germany reported the security issues to Skirt Club in mid-December 2016, it took Skirt Club more than three weeks to patch the issue. The users' pictures and data aren't accessible anymore, but the security issue isn't resolved completely – and at the time of publication, Skirt Club hasn't informed users of the former problem.
VICE Germany met Jana*, 39, at the party in December. She said she had had to conjure up a lot of courage in order to register at Skirt Club and come to the party. "No one knows that I am bi in my environment," she said at the time. "Not my kids, my friends or clients." Jana is a businesswoman with three kids and a husband, but she used to sleep with women until she met and married her husband. "We have had a classic marriage for 15 years: strictly monogamous, a house in the suburbs." A few months before joining, she confessed to her husband that she still had a desire to be with women, and when she read about Skirt Club, she decided to register and buy a ticket for a party. "It seems to be a safe space to try it out. Exactly what I was looking for," she said then.
Many members of Skirt Club aren't open about their sexuality and they all have their own private reasons for it. Some do not feel their environment would react well to it, others just aren't sure about their sexuality and want to be able to experiment in private. Skirt Club offers that possibility, and claims to take its members' privacy seriously. But allowing for intimate photos of users to be easily accessible on the website and not fixing the issue thoroughly as soon as it's reported goes against that claim and betrays the users' trust.
Data leaks on sex-sites can ruin lives – remember the Ashley Madison data breach. Ashley Madison is a site that offers its millions of members the option to arrange extramarital affairs. After a group of hackers published over 25 gigabyte of private data in email addresses, credit card details and user passwords in July 2015, marriages and careers were destroyed. One priest, who had a profile on the website, wound up taking his own life.
Skirt Club used WordPress and the plug-in Buddypress for their website, which are free and simple tools that millions of private blogs also use. That in itself is fine – Wordpress offers every important function to protect a site from hackers and security threats. Setting those up just takes a few clicks. In the Skirt Club's case, however, a small file that regulates access rights to images, information and data on a page was configured incorrectly – the so-called htaccess file was just eight lines long, but with some serious mistakes in the code. This file can usually be found in any web shop and WordPress website – it's usually automatically installed and configured so that no one can access the server without the appropriate rights. Yet, somehow, this file was configured incorrectly in the Skirt Club's case. "On a scale from 1-10 in regards to negligence, this is an 11," says Stephan Urbach, a tech expert and online privacy activist who analysed the security flaw together with editors from VICE Germany.
Before the security flaw was patched by Skirt Club, in order to see the members' images it was enough to type in the browser the regular website address, followed by the common names of WordPress subfolders. That opened up the possibility to browse through photos uploaded on the Skirt Club's server. Every user, for example, has their own folder with all the images they ever uploaded on their profile, and another folder for more intimate photos from private messages. Once uploaded, users aren't able to take those images down from the server. Even photos that were sent with applications by rejected potential members were still on the server.
It took Stephan Urbach a minute to figure out which files had been configured wrongly and 45 minutes of research to find what code had to be written to fix the faulty htaccess file. Urbach and VICE passed that information on to the founder of Skirt Club, who thanked them for flagging it and said the issue should be considered resolved. It wasn't. Now, a few weeks and some messages back and forth later the issue is finally mostly fixed – at this point, the folders can't be opened and the image files can't be clicked anymore. But theoretically, a few files are still accessible without a password for people with intimate knowledge of the original security issue and the complete setup of the website's servers. Even though no one will access those files, it does show that the error in the code isn't fully resolved.
The security issues with Skirt Club's website didn't give access to credit card details or names with the images of users. But some photos do give away a lot about the identity of the person in the photo. If a user uploaded a picture on her Skirt Club profile she also uses on other websites linked to her name, she can be identified within a few clicks. In the files was a picture of a lawyer, for example, that led straight to the website of the firm she works for. And Skirt Club saved the original uploaded images, even if users cropped or edited them. We found the original file of the photo of a doctor who had cropped out her name tag on her lab coat.
"Oh God," said Jana when we called her to tell her about the security flaw. Her voice didn't have that confident, ironic tone it had when we met her at the party in December. "Our kids have no idea. Our friends are in their mid-forties, they live with their families in our neighbourhood – they wouldn't understand why I'm on this site." Lucia, another user we met at the party in December, responded in a similar way when we contacted her with the news. "It would be awful if the pictures came out," she said. Her partner knows that she's been a member of Skirt Club since October, but no one else does. "I work in a pretty conservative place," she says. "I keep my sexuality private for a reason."
Skirt Club's Response
It's not entirely clear who a Skirt Club user should contact with concerns about their privacy. Skirt Club's founder answered VICE Germany's enquiries via email, under a pseudonym – Genevieve LeJeune. Four days after the editors emailed Skirt Club with their findings, LeJeune responded by saying their hosting company had now fixed the issue. In the days that followed, the editors kept an ongoing correspondence with LeJeune, pointing out that the issues were not fixed and supplying instructions on how to go about it. As noted above, at this point the photos aren't accessible anymore, but the fix still isn't complete.
When asked how these kinds of mistakes could have been made by a community website focused on privacy and discretion, LeJeune wrote that "unfortunately, as any new organisation, we are forced to do too much with very little and without the expertise of larger organisations." In VICE Germany's estimation, however, it wouldn't have taken someone with some computer knowledge more than two hours to figure out what was wrong and how to make it right. As for her future plans with security on the website, LeJeune noted: "As our membership began to accelerate, we took the decision to replace our website. The new site will launch in just a few weeks time and it comes with increased security measures. As part of this launch we are deploying professional support to keep our website current and to protect it from new vulnerabilities as they are uncovered." She says that due to her development team's focus on the new website, the current website's maintenance was overlooked.
At the end of their correspondence, LeJeune asked VICE Germany's editors to reconsider publishing a story about the issues with the security on her website. "[W]hat exactly will you achieve? I am forced to question your true motive, and whether this is an attack on a minority group? Or even women in general?"
Publishing a story about Skirt Club's security issues is not an attack on bisexual women, nor on women in general. As Skirt Club parties are taking place in more and more cities, the company's success shows that there's a real interest in sites that allow people to explore their sexuality outside the confines of their immediate environment. Skirt Club and any initiatives like it have a responsibility to thoroughly honour the trust their users bestow on them. As the consequences of the Ashley Madison leak show, there's no room to be negligent or even just naive about online security.
For now, Skirt Club's security issues prove that uploading intimate information of yourself online is still a huge risk – however much a site can claim to be secure, private and discrete. A mistake in the way a website operates doesn't just affect their business, but their users' lives. As Jana said over the phone, "if you can't guarantee security and privacy, then at least be honest about it."
*Names have been changed for privacy reasons.
More on VICE: