Grindr security hole made it easy to hijack accounts

All you needed was a user’s email address.

Grindr security hole made it easy to hijack accounts

As TechCrunch reports, gay dating app Grindr had a serious security vulnerability that could have allowed anyone to hijack control of a Grindr user’s account.

All you would need to seize control of a user’s account would be their email address.

French security researcher Wassime Bouimadaghene discovered the security hole which was in how Grindr handles password resets.

Sign up to our free newsletter.
Security news, advice, and tips.

In short, if you forget your Grindr password you can request a reset. Grindr then emails the owner of the account with a clickable link which will take them to a password reset page. To prevent mischief-making, the clickable link contains a secret reset token.

The token is supposed to verify you as the legitimate requester of the password reset. Only the legitimate user should know what the token is, as it is sent to their known email address.

But, as TechCrunch reports, Bouimadaghene found Grindr wasn’t keeping tokens secret:

But Bouimadaghene found that Grindr’s password reset page was leaking password reset tokens to the browser. That meant anyone could trigger the password reset who had knowledge of a user’s registered email address, and collect the password reset token from the browser if they knew where to look.

The clickable link that Grindr generates for a password reset is formatted the same way, meaning a malicious user could easily craft their own clickable password reset link — the same link that was sent to the user’s inbox — using the leaked password reset token from the browser.

With that crafted link, the malicious user can reset the account owner’s password and gain access to their account and the personal data stored within, including account photos, messages, sexual orientation and HIV status and last test date.

Oh dear oh dear oh dear.

But never mind, Bouimadaghene is a kindly chap and informed Grindr about the potentially disastrous security issue.

Unfortunately… he didn’t hear back from them.

So Bouimadaghene reached out to HaveIBeenPwned’s Troy Hunt instead. Troy, fortunately, has enough weight in the infosecurity community to get Grindr to wake up and listen… and the issue was fixed soon afterwards.

Grindr says it does not believe that the security hole was exploited by any malicious parties.

The company also said that it was looking to improve how security researchers could report vulnerabilities to it in future:

“As part of our commitment to improving the safety and security of our service, we are partnering with a leading security firm to simplify and improve the ability for security researchers to report issues such as these. In addition, we will soon announce a new bug bounty program to provide additional incentives for researchers to assist us in keeping our service secure going forward.”

It’s easy to imagine how hacked Grindr accounts could have been exploited by a malicious party to expose personal information and explicit photographs.

It’s good that Grindr has now fixed the problem, but such an elementary security hole should never have been present in the first place.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Grindr security hole made it easy to hijack accounts”

  1. Francine marie Herraman

    This is all just mind-blowing that people will do this sort of stuff, stealing id and accounts, do I need to close my dating apps, yes apps I am on more than one how do I take them down.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.