A POPULAR dating app has a major design flaw that lets anyone view saucy selfies sent privately between users.

The stunning blunder means that even naked selfies sent in a private chat to another user of the Jack'd app have been exposed.

Jack'd is a popular app for dating and hooking up, aimed primarily at gay and bisexual men.

Users don't need to sign up to the app, and there's no authentication system – which is a big problem.

It means that anyone can download the entire image database of the site – numbering millions of pics – and steal sensitive photos from users who thought they were sexting safely.

The flaw was first exposed by tech site The Register, after a tip-off from cybersecurity researcher Oliver Hough.

The risks of sexy selfies being exposed are immense, and the report warns that there's a risk of "potential blackmail" – especially for users who have chosen not to publicise their sexuality.

According to the report, the developers of the dating app were warned about the bug three months ago.

Yet the bug reportedly still persists as of February 2019, highlighting what appears to be severe neglect of responsibility.

"We were able to verify it is possible to access masses of public and private images without logging in nor installing the app," wrote The Register.

"The app should place strict access restrictions on which images should be viewable, so that if one user allows another user to see a sext pic, only the receiver should be allowed to see it.

"Instead, it is possible to see everyone's naked selfies."

In a statement given to The Sun, Mark Girolamo, CEO of Jack'd parent firm Online Buddies, said: "Our tech team is aware of the photo vulnerability and has already programmed the changes for this fix.

"They will deploy the fix tomorrow, February 7."

An Online Buddies spokesperson confirmed to The Sun that the "fix has now been implemented".

Of course this isn't the first time a dating app has been caught in a privacy controversy.

Last year, a report suggested that Grindr had exposed millions of users' private data.

And in July 2015, users of extramarital affair dating service Ashley Madison were hacked, with their data exposed online.