Grindr Security Flaw Let Hackers Hijack Accounts
Contributed by: kellyseal on Friday, November 13 2020 @ 10:16 am
Last modified on Friday, November 13 2020 @ 10:16 am
Dating app Grindr discovered a security flaw in its service earlier in October which allowed hackers to easily hijack accounts. The flaw was fixed quickly before anyone’s information was compromised, but the vulnerability caused concern.
The flaw allowed anyone to hijack a user’s account using only an email address. It was discovered by researcher Wassime Bouimadaghene, who reported it to Grindr. Initially, he didn’t hear back according to Tech Crunch[*1] , and turned to a security expert for assistance.
Bouimadaghene found the problem with the password reset function on the app, according to Tech Crunch, with whom he shared his discovery. When a user requests to reset a password, Grindr sends an email with a link containing an account password reset verification. The user must click this to change a password and be allowed back into the account. The problem was that Grindr’s password reset page was leaking these verification tokens to the browser itself, which meant that anyone could reset the password with a known email address by using these unprotected tokens.
This meant that hackers could have full access to personal data in the hacked account – including photos, messages, sexual orientation and HIV status.
Grindr has dealt with an array of security issues before. Most notably, when it was owned by Chinese company Beijing Kunlun Tech, engineers located in China had access to this type of personal user data. The U.S. government agency CFIUS (the Committee on Foreign Investment in the United States) felt this constituted a national security threat because of the sensitive information it was handling, specifically in regard to military and administration personnel using the app, and ordered the company to sell. Earlier this year, Kunlun Tech sold its 98% stake in Grindr to a Los Angeles-based company, San Vicente Acquisition Partners.
The recent flaw in Grindr’s password reset process has been fixed, but it did raise concerns about the security of the app.
Grindr’s chief operating officer Rick Marini[*2] told TechCrunch: “We are grateful for the researcher who identified a vulnerability. The reported issue has been fixed. Thankfully, we believe we addressed the issue before it was exploited by any malicious parties.”
He went on to say that the company is partnering with a security firm to “simplify and improve the ability for security researchers to report issues such as these.” He added: “…we will soon announce a new bug bounty program to provide additional incentives for researchers to assist us in keeping our service secure going forward.”
No other details were provided about the new safety program or the security firm.