Indecent Exposure, or the FetLife Security Hole

FetLife, a social networking website catered to fetishist or kinksters, and anyone can make an account for free. The website offers services to acquire friends, message profile, and group message boards. It's a great service for fetishists to connect with likeminded people and explore curiosities. However, the services is commonly mistaken as dating website and immature, promiscuous men message bomb many of the female users (including the transgender).

This is beside the point, FetLife is used by many people of the lifestyle to stay connected with people from events or general gatherings. The majority users prefer their identity be protected and private from the Vanilla society (because of fear for being judged or scrutinize).

Privacy on a website demands service sercurity, often known as Web Service Security (WSS). It is implied that an user can confidently use a web service without fear of privacy exposure. In other words, if your online banking service doesn't have WSS then the user becomes exposed.


Recently I received an message from someone named, MirceaPopescu. The message was odd, random, not prompted, which was off-putting, but I read it anyway. The subject line read "ASL Search" the body read "Done" followed by a link. Usually, a normal, smarter person wouldn't click an unsolicited links, but in this moment curiosity got the better of me.

The link directed me to a website, almost as like a blog, with several small paragraphs about FetLife. Mostly it was criticism about the website's software and the search feature. His criticism of the search stack was irrational and messy, hence why he decided to provide a list of 30,000 female users who were all under the age of 30.

He welcomes visitors to click any column to sort the list as they see fit, and visit the user profile (the name linked the FetLife profile).

I scrolled the list rather quickly and discovered one of my friends' account. I immediately contact her husband. I also contacted any friends I had from FetLife via text messages. All of them were noticeably upset, and asked me concerning questions. I told them to stay calm and simply log into your account to remove any sensitive information or pictures. I informed them they have nothing to worry about, at this moment, about stolen identities or anything of that nature.


To protect the information and privacy of the users, I will not be providing the link.

The list is large as it contains 30,000 users and it's the first volume out of 30 plus that are coming out. It is expected to see more by Mircea Popescu. Until the other volumes come out it is only female user accounts on his blog post.


His article ends with him saying a small fraction of the female users are real people. He also puts up an interesting offensive of hos he doesn't care about getting banned, explains the user profiles are not real people, not afraid of being sued by FetLife, doesn't care for any hate, and hopes FetLife becomes aware of their mistake (claims of profile privacy).

Since his article and list went out, his account banned on FetLife, and according to a commenter was also banned because she was on his friends list. The thought FetLife would go through such length to cover up an embarrassment as well as nip anything else in the bud. It's a disturbing thought. Any number of us who could have been his friends list, for whatever reason, could potentially had their account banned.


The first thought many FetLife users may have is "Good! He's an asshole for posting women's accounts on his blog". MirceaPopescu will be marked as the bad guy forever. FetLife already filed a claim against him and he is taking actions to file a counter claim.

As far as FetLife and its users are concerned this guy is the villain in this story.


Or is he the anti-hero they needed?

To view anyone's account, a person first needs to have an account set up and then it's fair game. Posting the list didn't automatically mean everyone on his two lists were exposed to the Vanilla world. An user adult pictures, sexuality, sexual role, and list of fetishists are safe. Including passwords or credit cards. There was a small pandemonium over this list. He did, however, post a list of users on his website without their consent nor permissions, so yes, he's in the wrong for doing this.


He posted this list for a few reasons and how FetLife wrote software with minimum things in mind. FetLife is a service catered toward the Kink World as a way of keeping in contact without using mainstream social networks (e.g. Facebook). The fetish lifestyle is something that is treated as very private, clandestine, and fetishists have to blend into everyday, normal society. A level of security and privacy is expected, but MirceaPopescu was able to access this stackable list from a script search easily.

Matter of fact, a person demonstrates how anyone could make searching easier by having the latest version of Firefox, an add-on, and the small application. You can view it here.


Who should FetLife users be upset with?

Considering the following: Imagine you're using an online banking service, which holds your primary account. It should go without a doubt you trust this bank's web portal and services, but somebody was able to expose you among a list of other account holders with your account number, account balance, and account location. All of this on his website. Do you get upset with the guy who put this list together? No! You get upset with the bank who had a huge security hole.


Even though MirceaPopescu violated a number of users' profiles by posting it on a list without their conset, the anger should be directed toward the FetLife and BitLove Inc. FetLife writes in its Community Guidelines that it's "fun and safe", but clearly it is not as safe users are led to believe. There is still a lot the developers need to repair before it can fully be a trusted website.

My advice, if you keep using FetLife (it's sort of the only website fetishists have) be wary of what you post and write on your account. The other option is to drop your account altogether. The choice is yours.


Every user should file a complaint to FetLife about this list. Contact information for FetLife can be found here.

Share This Story