A shameful security flaw could have let anyone access your Grindr account
You would think a dating app that knows your sexuality and HIV status would take thorough precautions to keep that info protected, but Grindr has disappointed the world once again — this time, with a gobsmackingly egregious security vulnerability that could have let literally anyone who could guess your email address into your user account.
Luckily, French security researcher Wassime Bouimadaghene discovered the vulnerability, perhaps before it could be exploited, and it’s now been fixed.
Unluckily for Grindr, the company ignored his disclosures — until security researcher Troy Hunt (of Have I Been Pwned) and journalist Zack Whittaker (of TechCrunch) each confirmed the issue and wrote about it.
The details need to be seen to be believed (so please look at the image above) but the short version is this: if you put an email address into Grindr’s password reset form, it would send a message back to your web browser with the key you need to reset the password buried inside it.
You could then theoretically just copy and paste that key into a password reset URL (which Hunt did), and take over an account just like that.
Grindr COO Rick Marini told TechCrunch that “we believe we addressed the issue before it was exploited by any malicious parties,” and says Grindr will both partner with a “leading security firm” and introduce a bug bounty program. That should hopefully mean security researchers like Bouimadaghene will have an easier time getting in touch.
Again, this isn’t just an app that contains a few messages. Grindr users include gay, bi, trans and queer individuals, and the mere presence of the app on a person’s phone can indicate something about their sexuality they may not want revealed to the outside world. And yet this is the company that was caught sharing its users’ HIV status to other companies, and sharing other personal info to third-party advertisers.
That said, it might be a slightly different company now. This March, the company’s Chinese owners sold it to a group of US investors, who also became Grindr’s new management. Marini, the COO quoted by TechCrunch, was one of the investors in the group. Another, Jeff Bonforte, is the company’s new CEO.
You would think a dating app that knows your sexuality and HIV status would take thorough precautions to keep that info protected, but Grindr has disappointed the world once again — this time, with a gobsmackingly egregious security vulnerability that could have let literally anyone who could guess your email…
