Grindr vulnerability left millions of accounts open to hijacking

Grindr vulnerability left millions of accounts open to hijacking
We all know that software vulnerabilities are a common issue plaguing apps on every platform imaginable. Things get a tad more complicated when we’re talking about sensitive apps like Grindr, for example. A French security researcher named Wassime Bouimadaghene found a critical vulnerability in the dating app, which allows hackers to easily hijack accounts simply by using victims’ email.

Wassime tried to file a ticket on Grindr’s support page but it was subsequently deleted. The Frenchman then contacted two other security researchers in order to shine a light on the issue. It was only after one of them (Troy Hunt) posted about the problem on Twitter that Grindr’s own security team got involved.

The vulnerability exploits the “forgotten password” scenario. Attackers only need to enter the victim’s email and then open the dev console to get a “password reset” token. Armed with it, they can easily change the password and hijack the account. One of the security researchers called the issue “one of the most basic account takeover techniques.”

"Image - Troy Hunt"

“We are grateful for the researcher who identified a vulnerability. The reported issue has been fixed. Thankfully, we believe we addressed the issue before it was exploited by any malicious parties. As part of our commitment to improving the safety and security of our service, we are partnering with a leading security firm to simplify and improve the ability for security researchers to report issues such as these. In addition, we will soon announce a new bug bounty program to provide additional incentives for researchers to assist us in keeping our service secure going forward,” Grindr chief operating officer Rick Marini told TechCrunch.

FEATURED VIDEO

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.
FCC OKs Cingular's purchase of AT&T Wireless