The popular LGBT+ hook-up app Grindr has fixed a glaring security flaw that allowed hackers to take over any account if they knew the user’s registered email address, TechCrunch reports.
Wassime Bouimadaghene, a French security researcher, originally uncovered the vulnerability in September. But after he shared his discovery with Grindr and was met with radio silence, he decided to team up with Australian security expert Troy Hunt, a regional director at Microsoft and the creator of the world’s largest database of stolen usernames and passwords, Have I Been Pwned?, to draw attention to an issue that put Grindr’s more than 3 million daily active users at risk.
Hunt shared these findings with the outlet and on his website Friday, explaining that the problem stemmed from Grindr’s process for letting users reset their passwords. Like many social media sites, Grindr uses account password reset tokens, a single-use, machine-generated code to verify that the person requesting a new password is the owner of the account. When a user asks to change their password, Grindr sends them an email with a link containing the token that, once clicked, lets them reset their password and regain access to their account.
However, Bouimadaghene discovered a serious issue with Grindr’s password reset page: Instead of solely sending the password reset token to a user’s email, Grindr also leaked it to the browser. “That meant anyone could trigger the password reset who had knowledge of a user’s registered email address, and collect the password reset token from the browser if they knew where to look,” TechCrunch reports.
In short, just by knowing the email address a user had associated with their Grindr account, a hacker could easily create their own clickable