Grindr security hole made it easy to hijack accounts

All you needed was a user’s email address.

Graham Cluley
@gcluley

As TechCrunch reports, gay dating app Grindr had a serious security vulnerability that could have allowed anyone to hijack control of a Grindr user’s account.

All you would need to seize control of a user’s account would be their email address.

French security researcher Wassime Bouimadaghene discovered the security hole which was in how Grindr handles password resets.

Sign up to our newsletter
Security news, advice, and tips.

In short, if you forget your Grindr password you can request a reset. Grindr then emails the owner of the account with a clickable link which will take them to a password reset page. To prevent mischief-making, the clickable link contains a secret reset token.

The token is supposed to verify you as the legitimate requester of the password reset. Only the legitimate user should know what the token is, as it is sent to their known email address.

But, as TechCrunch reports, Bouimadaghene found Grindr wasn’t keeping tokens secret:

But Bouimadaghene found that Grindr’s password reset page was leaking password reset tokens to the browser. That meant anyone could trigger the password reset who had knowledge of a user’s registered email address, and collect the password reset token from the browser if they knew where to look.

The clickable link that Grindr generates for a password reset is formatted the same way, meaning a malicious user could easily craft their own clickable password reset link — the same link that was sent to the user’s inbox — using the leaked password reset token from the browser.

With that crafted link, the malicious user can reset the account owner’s password and gain access to their account and the personal data stored within, including account photos, messages, sexual orientation and HIV status and last test date.

Oh dear oh dear oh dear.

But never mind, Bouimadaghene is a kindly chap and informed Grindr about the potentially disastrous security issue.

Unfortunately… he didn’t hear back from them.

So Bouimadaghene reached out to HaveIBeenPwned’s Troy Hunt instead. Troy, fortunately, has enough weight in the infosecurity community to get Grindr to wake up and listen… and the issue was fixed soon afterwards.

Grindr says it does not believe that the security hole was exploited by any malicious parties.

The company also said that it was looking to improve how security researchers could report vulnerabilities to it in future:

“As part of our commitment to improving the safety and security of our service, we are partnering with a leading security firm to simplify and improve the ability for security researchers to report issues such as these. In addition, we will soon announce a new bug bounty program to provide additional incentives for researchers to assist us in keeping our service secure going forward.”

It’s easy to imagine how hacked Grindr accounts could have been exploited by a malicious party to expose personal information and explicit photographs.

It’s good that Grindr has now fixed the problem, but such an elementary security hole should never have been present in the first place.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.