Page Loader
#BugAlert: Dating app Grindr risked private user information

#BugAlert: Dating app Grindr risked private user information

Oct 04, 2020
02:19 pm

What's the story

Popular gay dating app Grindr is drawing flak for a rather careless vulnerability in its service, an issue that risked the privacy and security of millions of people using the platform. It could have compromised private and confidential information of the users, but luckily enough, the team at Grindr patched the loophole before it was exploited. Here is more about it.

Issue

Vulnerability in password reset functionality

The glitch in question, discovered by French security researcher Wassime Bouimadaghene, tied to the password reset function of Grindr's website. Basically, he found that when you use the password reset option and enter the email of the target, the service sends a reset token required to reset their Grindr password back to the web browser.

Details

Using the key redirected to password reset page

Once the key is delivered, the researcher found, it could easily be added to the Grindr's password reset URL, which immediately redirected to the page where the password for the Grindr account associated with the input email could be changed. This means all one needed to completely take over a Grindr account was the email address of the user and the reset URL.

Response

Initially, Grindr kept ignoring the flaw

After discovering the bug, which threatened all Grindr accounts and their data (including sexuality information and HIV status), Wassime reported the issue to the dating company. However, the company kept ignoring the disclosures until the Troy Hunt's Have I Been Pwned and TechCrunch publicly revealed the matter through their posts. Now, the issue has been fixed, according to a statement from the company.

Comment

Issue resolved before exploitation: Grindr COO

Speaking on the matter with TechCrunch, Grindr's COO Rick Marini said "We believe we addressed the issue before it was exploited by any malicious parties." He went on to add that the company will boost its security standards moving ahead through various measures, including partnering with a "leading security firm" and introducing a bug bounty program, where researchers reporting critical issues will be rewarded.