#BugAlert: Dating app Grindr risked private user information
What's the story
Popular gay dating app Grindr is drawing flak for a rather careless vulnerability in its service, an issue that risked the privacy and security of millions of people using the platform. It could have compromised private and confidential information of the users, but luckily enough, the team at Grindr patched the loophole before it was exploited. Here is more about it.
Issue
Vulnerability in password reset functionality
The glitch in question, discovered by French security researcher Wassime Bouimadaghene, tied to the password reset function of Grindr's website. Basically, he found that when you use the password reset option and enter the email of the target, the service sends a reset token required to reset their Grindr password back to the web browser.
Details
Using the key redirected to password reset page
Once the key is delivered, the researcher found, it could easily be added to the Grindr's password reset URL, which immediately redirected to the page where the password for the Grindr account associated with the input email could be changed. This means all one needed to completely take over a Grindr account was the email address of the user and the reset URL.
Response
Initially, Grindr kept ignoring the flaw
After discovering the bug, which threatened all Grindr accounts and their data (including sexuality information and HIV status), Wassime reported the issue to the dating company. However, the company kept ignoring the disclosures until the Troy Hunt's Have I Been Pwned and TechCrunch publicly revealed the matter through their posts. Now, the issue has been fixed, according to a statement from the company.
Comment
Issue resolved before exploitation: Grindr COO
Speaking on the matter with TechCrunch, Grindr's COO Rick Marini said "We believe we addressed the issue before it was exploited by any malicious parties." He went on to add that the company will boost its security standards moving ahead through various measures, including partnering with a "leading security firm" and introducing a bug bounty program, where researchers reporting critical issues will be rewarded.