Grindr Security Flaw Exposes Users’ Restricted Profiles And Location Data

Grindr
  • Contributed by:
  • Views: 243

The dating app world has once again been hit with a privacy scandal. DC-based developer Trevor Faden revealed a sweeping security flaw in Grindr’s code, a glitch he says has the potential to expose sensitive information of more than 3 million daily users.

According to Faden, Grindr attaches a list of restricted profiles to each user’s account to prevent the app from displaying a profile after the user has blocked them. The list would normally remain invisible, but a loophole makes it possible to retrieve the list from Grindr’s code, thereby granting someone access to the names of every account that has blocked them.

Faden launched a website tool called C*ckBlocked that allowed users to retrieve their blocked lists by entering their Grindr username and password. Nearly 50,000 signed up, and once they did so, Faden was able to gain access to a cache of other personal information that is not publicly available on Grindr profiles, including unread messages, email addresses, deleted photos, and location data -- even for users who opted out of making their location public.

“One could, without too much difficulty or even a huge amount of technological skill, easily pinpoint a user's exact location," Faden warned NBC News.

To Queerty, he took a more lighthearted approach. “Luckily, someone finding out that you blocked them on Grindr isn’t a huge security vulnerability, as much as it is an awkward conversation waiting to happen,” he said. “That said, when you block someone on Grindr, you do assume that information will stay somewhat private.”

He added: “I assume Grindr will shut it down within a week, or patch the API I’m using so that it no longer displays the data, but I figure in the meantime, it’s interesting data that could spark some silly conversations.”

His intuition proved right. C*ckBlocked now displays a simple goodbye message: “The API that provided for the data was patched by Grindr on March 23rd, 2018 Thanks to @realytcracker and the Grindr team for being awesome about it.”

In a statement issued to NBC News, Grindr said it was aware of the vulnerability Faden found and had changed its system to prevent access to data regarding blocked accounts (though access to any of the other personal information remains untouched). The company also cautioned users not to enter their Grindr login credentials into any other apps or websites.

“Grindr moved quickly to make changes to its platform to resolve this issue,” the statement read. “Grindr reminds all users that they should never give away their username and password to any third parties claiming to provide a benefit, as they are not authorized by Grindr and could potentially have malicious intent.”

For his part, Faden maintains that he had no nefarious motives and did not share or collect any of the data he gained access to; his intention was merely to remind users of the importance of safeguarding their personal information.

For more information about this dating service you can read our review of the Grindr app.