Grindr security glitch gave hackers a ‘basic’ way to hijack accounts

Grindr security glitch gave hackers a ‘basic’ way to hijack accounts
A man looks at his phone - and the Grindr inspired message from the India Government

Grindr has fixed a security glitch that gave any malicious user an easy way to take control of a user’s account with only their email address.

The dating and hook-up app has faced and fixed security challenges before. These have included sharing users’ HIV status with third-party companies and revealing users’ exact location.

However, the newly exposed security flaw is one of the most basic of all.

Technology publisher TechCrunch says French security researcher Wassime Bouimadaghene discovered the vulnerability. He reported the issue to Grindr but didn’t hear back. So he shared the details with other security experts to get help.

Grindr fixed the issue a short time later.

The problem was with how the app managers password resets. Like many apps, users can request a new password by entering the email address they used to register their account.

Grindr then sends them an email with a clickable link allowing them to reset the password. They can then get back into their account.

However, the security flaw allowed anyone who knows how to use developer tools on their internet browser to see what the password reset tokens looked like.

Because they all followed the same format, a person with even basic coding skills could request a token for themselves and use the same format to access other people’s accounts. The only information they would need was the user’s email address.

Once they had that, they could change the user’s password and access their private data on Grindr. In many cases, this includes photos, private messages, sexual orientation and even HIV status.

Security expert Troy Hunt, who helped Bouimadaghene, told TechCrunch:

‘This is one of the most basic account takeover techniques I’ve seen.’

Flaw fixed before malicious users exploited it

However, Grindr said Bouimadaghene had spotted the security flaw before anyone could abuse it.

In a statement, Grindr’s chief operating officer Rick Marini said:

‘We are grateful for the researcher who identified a vulnerability. The reported issue has been fixed. Thankfully, we believe we addressed the issue before it was exploited by any malicious parties.

‘As part of our commitment to improving the safety and security of our service, we are partnering with a leading security firm to simplify and improve the ability for security researchers to report issues such as these.

‘In addition, we will soon announce a new bug bounty program to provide additional incentives for researchers to assist us in keeping our service secure going forward.’

Making Grindr kinder

Grindr has around 27 million users with an estimated 3 million using the app every day.

However, while the app has allowed many to find sex, friends and even partners, it has also carried risks. These include tech security breaches, attracting crime including murder, and police harassment.

An American company now owns it after the US government decided its former Chinese owner posed a national security threat.

And this year it removed its ethnicity filter after years of complaints about racism.

Meanwhile the way in which some users reject other people on the basis of race, age, body shape and perceived femininity has consistently sparked debate among gay and bi men.

The app is now 11 years old. And a poll of GSN readers last year found that 18% thought it had been good for the LGBT+ community with 33% thinking it had been bad. Meanwhile 49% thought it had both positives and negatives.

Meanwhile a separate survey in March 2019 found that 56.5% of Grindr users thought they may eventually find the love of their lives on the app. Moreover, 84% of users have fallen in love with someone they met on Grindr.

[Syndicated Content]

Published on GayStarNews Read the original article

Author: Tris Reid-Smith


Event information may be subject to change or cancellation due to the coronavirus (COVID-19) outbreak. Please confirm details with event organisers before attending.

Official Coronavirus Advice