Hacker exposes Grindr users’ intimate information and explicit photos

GrindrA popular smartphone app used by the gay community to hook-up with similarly-minded people in their vicinity suffers from a serious security vulnerability that could expose personal information and explicit photos that they have been sent.

At least that’s the claim being made in The Sydney Morning Herald today.

If you’re not familiar with it, Grindr takes the hassle out of finding new acquaintances in your neighbourhood. So, if you’re looking for gay guys or gals in your vicinity a quick ping on Grindr will not only show you their photographs and details, but also how many feet away they are from you.

Before you know it, you’re flirting with a complete stranger and they’re sharing their precise location with your smartphone. At least, that’s what I’m led to believe.

Sign up to our free newsletter.
Security news, advice, and tips.

If you think that would be a niche interest, then sit down as I tell you that Grindr claims to have over three million users. Yup, these days the internet is all about location, location, location.

According to journalist Ben Grubb, an unnamed hacker has revealed how to log in as another user on the Grindr app (or, indeed, its less famous straight equivalent – Blendr) without permission, impersonate them, send chat and photo messages, and view passwords.

As the photos and communications that can be exchanged can be of a – how shall I put this? – delicate nature, you can understand the potential problems.

Grindr

Grindr’s founder Joel Simkhai has responded by saying that both Grindr and Blendr will be patched “over the next few days”, and that the company will roll out a major new security upgrade in the coming weeks.

Although Grindr’s Twitter feed has acknowledged the security vulnerability, I couldn’t find any information on their official website.

However, the Sydney Morning Herald strongly suggests that the problem may lie in Grindr’s underlying systems relying upon an id code to access its database, rather than a better form of authentication such as a username and password.

The hacker reportedly found that he could replace his id code, or hash, with that of another user – and then access their account.

It’s an elementary security mistake that we have seen many websites caught out by before, not that that will be any consolation to the romance-hunting users of Grindr and Blendr.

If you’re a user of either application, and you don’t feel comfortable with your personal account potentially being accessible by others while you’re waiting for the apps to be updated, I would recommend wiping your accounts.

Here are the appropriate links:

Take care folks.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.