But in Bonneau’s experiment with 16 popular websites, removing the photo from the main website didn't always remove it from the Content Delivery Network; in those cases, anyone who still had the destination URL would be able to view the photo.
In January, an Australian hacker exploited a security flaw in Grindr, the mobile app that allows gay and questioning men to find sexual partners nearby through the use of GPS technology.
In short, photos are hosted on an outside company’s servers.
As Joseph Bonneau explained, the main website provides an obfuscated URL for the photo to anyone it deems has permission to view it.
It’s good to familiarize yourself with the other available privacy settings regardless of which site you are using. Users hoping to create a barrier between their real identities and their online dating profiles might use strategies such as pseudonyms and misleading information in a profile to obfuscate their identity.
However, just changing your name and a few facts about your life may not be enough.
The vulnerability allows an attacker to impersonate another user, send messages on his behalf, access sensitive data like photos and messages, and even view passwords.