A serious security vulnerability in Grindr, the most popular dating app for gay, bi, trans, and queer people, has been discovered, which could have allowed anyone to infiltrate and take over a Grindr account simply by knowing the account holder’s email address.
As well as making it easy for bad actors to impersonate other people, the vulnerability would have given them easy access to potentially highly sensitive information, including the user’s HIV status, intimate pictures, dating history and sexual orientation.
In a blog post explaining how the vulnerability could be exploited, security researcher Troy Hunt described it as “one of the most basic account takeover techniques I’ve seen,” adding that “the ease of exploit is unbelievably low and the impact is obviously significant.”
He flagged the security flaw to Grindr after being tipped off by French security researcher Wassime Bouimadaghene, who had repeatedly tried to warn the company about it, only for his messages to fall on deaf ears.
Grindr has now fixed the issue, and says it doesn’t believe the vulnerability was exploited by anyone.
How the vulnerability could be exploited
Bouimadaghene had discovered it was possible to take over a Grindr account simply by entering the email address associated with the account into the Grindr password reset tool.
As well as sending a clickable link with password reset token to that email address, Grindr had been leaking the token within the browser, and Bouimadaghene worked out that he could use that to reset the password on any account, without needing to access the user’s email.
Once the password associated with an account was reset, he could easily set a new password and completely take over the account. Troy Hunt confirmed this was the case.
“We are grateful for the researcher who identified a vulnerability. The reported issue has
Dusting off and powering up an oldonly to realize you can’t remember the password is a frustrating experience. Each failed login attempt can cause confusion and even panic. Don’t worry, though. knows that a forgotten password situation is a personal hell that many of us run into, which is why the software includes built-in features for this exact situation.
There are a few different tools you can use, and the road you take to unlock your Mac without a password could depend onon your Mac during setup. If you didn’t, that’s OK, there’s still another option to reset your account password. Here’s how to get started regaining control over your Mac computer.
Use your Apple ID to reset your password
Ideally, you’ll have linked your Apple ID to your user account on your Mac during the initial setup, which will make it possible to reset your user password with just a few clicks.
After entering the wrong user password three times, you’ll be asked if you want to reset the password using your Apple ID, if it’s linked to your account. If you don’t see the message after your third attempt, your account isn’t linked to your Apple ID and you’ll need to use the method outlined below.
Here’s what to do:
Enter your Apple ID email address and password, and follow the rest of the prompts to create a new password. When you change the password, you’ll see a prompt letting you know a new login keychain — what MacOS uses to