Users of Ashley Madison, a “dating” service for those already in a committed relationship, may have had their private photos exposed online thanks to a flaw in the company’s platform, according to security researchers.

In a blog post published Wednesday, Bob Diachenko, the chief communications officer at security firm Kromtech, reported the user “key” that is supposed to keep photos private does not function the way it users expect and may end up exposing images.

On Ashley Madison, there are public facing photos that anyone can see when visiting a person’s profile and private photos that require permission to view. That permission comes in the form of a digital key that can be granted to another user to allow them to view the photos. However, Ashley Madison’s system apparently does not work as advertised thanks to a default setting.

According to Diachenko, the service automatically swaps keys between users if one person offers their own key to someone else. The recipient doesn’t even have to accept the key, meaning someone could offer their key, have the offer rejected, and then view the private photos of the person who turned down their offer.

The issue is made more troubling by the fact that it is possible to set up multiple accounts with a single email address, allowing a person to simply create new accounts, offer their keys to other users and view their private pictures without permission.

Once those photos have been exposed to a user, they can be viewed by anyone who has a link to the photo. Technically that means anyone who can guess the URL could view the photo, though that is a much more challenging endeavor. With the key swapping bug, there is no reason to try to crack the URL—a person can gain access to the photo and share the link.

According to Diachenko, about 64 percent of private photos hosted on Ashley Madison—many of which are revealing and explicit—can be accessed by making use of the key swapping setting. The issue could easily lead to users being anonymized and having their private images exposed.

The researchers who discovered the issue have been in touch with Ashley Madison’s security team and have worked on a fix for the issue. The service has made updates that limit the extent to which the bug can be exploited, but have yet to fully address the issue.

Ashley Madison’s team has thus far chosen not to change the default setting for the private keys that allow photos to be shared with anyone who has shared their own key—a feature that is off by default on two other operated by Ashley Madison's parent company Ruby Life.

Users can protect themselves from the flawed system by changing their own settings to turn off the default option that shares private photos with anyone who has granted access to their own images.

If the 2015 hack of Ashley Madison more than 37 million users of the site built for adulterous relationships wasn’t enough to keep users away from it, a flawed security setting likely won’t chase them away either. But for those who still use the site who are concerned about their privacy, it’s worth taking a look at the settings.