The popular LGBT+ hook-up app Grindr has fixed a glaring security flaw that allowed hackers to take over any account if they knew the user’s registered email address, TechCrunch reports.
Wassime Bouimadaghene, a French security researcher, originally uncovered the vulnerability in September. But after he shared his discovery with Grindr and was met with radio silence, he decided to team up with Australian security expert Troy Hunt, a regional director at Microsoft and the creator of the world’s largest database of stolen usernames and passwords, Have I Been Pwned?, to draw attention to an issue that put Grindr’s more than 3 million daily active users at risk.
Hunt shared these findings with the outlet and on his website Friday, explaining that the problem stemmed from Grindr’s process for letting users reset their passwords. Like many social media sites, Grindr uses account password reset tokens, a single-use, machine-generated code to verify that the person requesting a new password is the owner of the account. When a user asks to change their password, Grindr sends them an email with a link containing the token that, once clicked, lets them reset their password and regain access to their account.
However, Bouimadaghene discovered a serious issue with Grindr’s password reset page: Instead of solely sending the password reset token to a user’s email, Grindr also leaked it to the browser. “That meant anyone could trigger the password reset who had knowledge of a user’s registered email address, and collect the password reset token from the browser if they knew where to look,” TechCrunch reports.
In short, just by knowing the email address a user had associated with their Grindr account, a hacker could easily create their own clickable password reset link using the leaked token and hijack the account, gaining instant access to a user’s pictures, messages, HIV status, and more.
Hunt confirmed the vulnerability after setting up a test account with fellow security researcher Scott Helme. In his post Friday, Hunt called it “one of the most basic account takeover techniques I’ve seen.”
“I cannot fathom why the reset token — which should be a secret key — is returned in the response body of an anonymously issued request,” he continued. “The ease of exploit is unbelievably low and the impact is obviously significant, so clearly this is something to be taken seriously.”
And yet, it wasn’t. According to his post, Bouimadaghene reached out to Grindr’s support team on Sep. 24 and walked them through the potential account takeover process. A company representative told him that Grindr’s developers had been notified of the issue and flagged his ticket as “resolved.” When Bouimadaghene followed up over the course of the next few days, he was met with silence.
After testing and confirming the vulnerability, Hunt tagged Grindr in a tweet on Thursday asking for contact information for the company’s security team. The vulnerability was quickly resolved after he got in touch.
Grindr did not immediately respond to Gizmodo’s request for comment, but the company’s chief operating officer Rick Marini providing the following statement to TechCrunch:
“We are grateful for the researcher who identified a vulnerability. The reported issue has been fixed. Thankfully, we believe we addressed the issue before it was exploited by any malicious parties. As part of our commitment to improving the safety and security of our service, we are partnering with a leading security firm to simplify and improve the ability for security researchers to report issues such as these. In addition, we will soon announce a new bug bounty program to provide additional incentives for researchers to assist us in keeping our service secure going forward.”
You would think that, given Grindr’s history of security headaches, the company would have learned by now to be more responsive to reported vulnerabilities. In 2018, Grindr was forced to acknowledge that it shared information on users’ HIV status with third-party companies for optimisation purposes following a damning Buzzfeed investigation. Grindr later said it had stopped the practice. Earlier this year, the app’s former owner, Beijing Kunlun Tech, sold Grindr to a Los Angeles-based company after a U.S. national security panel raised concerns about the China-based company.