A serious security vulnerability in Grindr, the most popular dating app for gay, bi, trans, and queer people, has been discovered, which could have allowed anyone to infiltrate and take over a Grindr account simply by knowing the account holder’s email address.
As well as making it easy for bad actors to impersonate other people, the vulnerability would have given them easy access to potentially highly sensitive information, including the user’s HIV status, intimate pictures, dating history and sexual orientation.
In a blog post explaining how the vulnerability could be exploited, security researcher Troy Hunt described it as “one of the most basic account takeover techniques I’ve seen,” adding that “the ease of exploit is unbelievably low and the impact is obviously significant.”
He flagged the security flaw to Grindr after being tipped off by French security researcher Wassime Bouimadaghene, who had repeatedly tried to warn the company about it, only for his messages to fall on deaf ears.
Grindr has now fixed the issue, and says it doesn’t believe the vulnerability was exploited by anyone.
How the vulnerability could be exploited
Bouimadaghene had discovered it was possible to take over a Grindr account simply by entering the email address associated with the account into the Grindr password reset tool.
As well as sending a clickable link with password reset token to that email address, Grindr had been leaking the token within the browser, and Bouimadaghene worked out that he could use that to reset the password on any account, without needing to access the user’s email.
Once the password associated with an account was reset, he could easily set a new password and completely take over the account. Troy Hunt confirmed this was the case.
“We are grateful for the researcher who identified a vulnerability. The reported issue has been fixed. Thankfully, we believe we addressed the issue before it was exploited by any malicious parties,” Grindr’s chief operating officer Rick Marini told TechCrunch.
“As part of our commitment to improving the safety and security of our service, we are partnering with a leading security firm to simplify and improve the ability for security researchers to report issues such as these. In addition, we will soon announce a new bug bounty program to provide additional incentives for researchers to assist us in keeping our service secure going forward.”
Grindr doesn’t have the greatest track record with matters of security. In 2018 it was revealed that it had been sharing users’ HIV status and test dates with other companies.