Popular gay dating app Grindr is drawing flak for a rather careless vulnerability in its service, an issue that risked the privacy and security of millions of people using the platform. It could have compromised private and confidential information of the users, but luckily enough, the team at Grindr patched the loophole before it was exploited. Here is more about it.

Issue Vulnerability in password reset functionality

The glitch in question, discovered by French security researcher Wassime Bouimadaghene, tied to the password reset function of Grindr's website. Basically, he found that when you use the password reset option and enter the email of the target, the service sends a reset token required to reset their Grindr password back to the web browser.

Details Using the key redirected to password reset page

Once the key is delivered, the researcher found, it could easily be added to the Grindr's password reset URL, which immediately redirected to the page where the password for the Grindr account associated with the input email could be changed. This means all one needed to completely take over a Grindr account was the email address of the user and the reset URL.

Response Initially, Grindr kept ignoring the flaw

After discovering the bug, which threatened all Grindr accounts and their data (including sexuality information and HIV status), Wassime reported the issue to the dating company. However, the company kept ignoring the disclosures until the Troy Hunt's Have I Been Pwned and TechCrunch publicly revealed the matter through their posts. Now, the issue has been fixed, according to a statement from the company.

Comment Issue resolved before exploitation: Grindr COO