All you would need to seize control of a user’s account would be their email address.
French security researcher Wassime Bouimadaghene discovered the security hole which was in how Grindr handles password resets.
In short, if you forget your Grindr password you can request a reset. Grindr then emails the owner of the account with a clickable link which will take them to a password reset page. To prevent mischief-making, the clickable link contains a secret reset token.
The token is supposed to verify you as the legitimate requester of the password reset. Only the legitimate user should know what the token is, as it is sent to their known email address.
But, as TechCrunch reports, Bouimadaghene found Grindr wasn’t keeping tokens secret:
But Bouimadaghene found that Grindr’s password reset page was leaking password reset tokens to the browser. That meant anyone could trigger the password reset who had knowledge of a user’s registered email address, and collect the password reset token from the browser if they knew where to look.
The clickable link that Grindr generates for a password reset is formatted the same way, meaning a malicious user could easily craft their own clickable password reset link — the same link that was sent to the user’s inbox — using the leaked password reset token from the browser.
With that crafted link, the malicious user can reset the account owner’s password and gain access to their account and the personal data stored within, including account photos, messages, sexual orientation and HIV status and last test date.
Oh dear oh dear oh dear.
But never mind, Bouimadaghene is a kindly chap and informed Grindr about the potentially disastrous security issue.
Unfortunately… he didn’t hear back from them.
So Bouimadaghene reached out to HaveIBeenPwned’s Troy Hunt instead. Troy, fortunately, has enough weight in the infosecurity community to get Grindr to wake up and listen… and the issue was fixed soon afterwards.
Grindr says it does not believe that the security hole was exploited by any malicious parties.
The company also said that it was looking to improve how security researchers could report vulnerabilities to it in future:
“As part of our commitment to improving the safety and security of our service, we are partnering with a leading security firm to simplify and improve the ability for security researchers to report issues such as these. In addition, we will soon announce a new bug bounty program to provide additional incentives for researchers to assist us in keeping our service secure going forward.”
It’s easy to imagine how hacked Grindr accounts could have been exploited by a malicious party to expose personal information and explicit photographs.
It’s good that Grindr has now fixed the problem, but such an elementary security hole should never have been present in the first place.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.