You would think a dating app that knows your sexuality and HIV status would take thorough precautions to keep that info protected, but Grindr has disappointed the world once again — this time, with a gobsmackingly egregious security vulnerability that could have let literally anyone who could guess your email address into your user account.
A shameful security flaw could have let anyone access your Grindr account
Just astoundingly bad
Just astoundingly bad
is a senior editor and founding member of The Verge who covers gadgets, games, and toys. He spent 15 years editing the likes of CNET, Gizmodo, and Engadget.
Luckily, French security researcher Wassime Bouimadaghene discovered the vulnerability, perhaps before it could be exploited, and it’s now been fixed.
Unluckily for Grindr, the company ignored his disclosures — until security researcher Troy Hunt (of Have I Been Pwned) and journalist Zack Whittaker (of TechCrunch) each confirmed the issue and wrote about it.
The details need to be seen to be believed (so please look at the image above) but the short version is this: if you put an email address into Grindr’s password reset form, it would send a message back to your web browser with the key you need to reset the password buried inside it.
You could then theoretically just copy and paste that key into a password reset URL (which Hunt did), and take over an account just like that.
Grindr COO Rick Marini told TechCrunch that “we believe we addressed the issue before it was exploited by any malicious parties,” and says Grindr will both partner with a “leading security firm” and introduce a bug bounty program. That should hopefully mean security researchers like Bouimadaghene will have an easier time getting in touch.
Grindr data is particularly sensitive
Again, this isn’t just an app that contains a few messages. Grindr users include gay, bi, trans and queer individuals, and the mere presence of the app on a person’s phone can indicate something about their sexuality they may not want revealed to the outside world. And yet this is the company that was caught sharing its users’ HIV status to other companies, and sharing other personal info to third-party advertisers.
That said, it might be a slightly different company now. This March, the company’s Chinese owners sold it to a group of US investors, who also became Grindr’s new management. Marini, the COO quoted by TechCrunch, was one of the investors in the group. Another, Jeff Bonforte, is the company’s new CEO.
Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.
