Grindr vulnerability left millions of accounts open to hijacking
Wassime tried to file a ticket on Grindr’s support page but it was subsequently deleted. The Frenchman then contacted two other security researchers in order to shine a light on the issue. It was only after one of them (Troy Hunt) posted about the problem on Twitter that Grindr’s own security team got involved.
The vulnerability exploits the “forgotten password” scenario. Attackers only need to enter the victim’s email and then open the dev console to get a “password reset” token. Armed with it, they can easily change the password and hijack the account. One of the security researchers called the issue “one of the most basic account takeover techniques.”
“We are grateful for the researcher who identified a vulnerability. The reported issue has been fixed. Thankfully, we believe we addressed the issue before it was exploited by any malicious parties. As part of our commitment to improving the safety and security of our service, we are partnering with a leading security firm to simplify and improve the ability for security researchers to report issues such as these. In addition, we will soon announce a new bug bounty program to provide additional incentives for researchers to assist us in keeping our service secure going forward,” Grindr chief operating officer Rick Marini told TechCrunch.