A serious security vulnerability in Grindr, the most popular dating app for gay, bi, trans, and queer people, has been discovered, which could have allowed anyone to infiltrate and take over a Grindr account simply by knowing the account holder’s email address.

As well as making it easy for bad actors to impersonate other people, the vulnerability would have given them easy access to potentially highly sensitive information, including the user’s HIV status, intimate pictures, dating history and sexual orientation.

In a blog post explaining how the vulnerability could be exploited, security researcher Troy Hunt described it asone of the most basic account takeover techniques I’ve seen,” adding thatthe ease of exploit is unbelievably low and the impact is obviously significant.

He flagged the security flaw to Grindr after being tipped off by French security researcher Wassime Bouimadaghene, who had repeatedly tried to warn the company about it, only for his messages to fall on deaf ears.

Grindr has now fixed the issue, and says it doesn’t believe the vulnerability was exploited by anyone.

Bouimadaghene had discovered it was possible to take over a Grindr account simply by entering the email address associated with the account into the Grindr password reset tool.

As well as sending a clickable link with password reset token to that email address, Grindr had been leaking the token within the browser, and Bouimadaghene worked out that he could use that to reset the password on any account, without needing to access the user’s email.

Once the password associated with an account was reset, he could easily set a new password and completely take over the account. Troy Hunt confirmed this was the case.

We are grateful for the researcher who identified a vulnerability. The reported issue has been fixed. Thankfully, we believe we addressed the issue before it was exploited by any malicious parties,” Grindr’s chief operating officer Rick Marini told TechCrunch.

“As part of our commitment to improving the safety and security of our service, we are partnering with a leading security firm to simplify and improve the ability for security researchers to report issues such as these. In addition, we will soon announce a new bug bounty program to provide additional incentives for researchers to assist us in keeping our service secure going forward.

Grindr doesn’t have the greatest track record with matters of security. In 2018 it was revealed that it had been sharing usersHIV status and test dates with other companies.

Sign-up to our daily newsletter for more articles like this + access to 5 extra articles

See why nearly a quarter of a million subscribers begin their day with the Starting 5.

Source: https://www.newsweek.com/grindr-security-flaw-reset-password-take-over-account-1536571

Grindr, Computer security, Vulnerability, User

World news – GB – Enormous Grindr security flaw could have let anyone reset your password and take over your account

Building on its expertise in the areas of digital, technologies and processes , CSS Engineering you in your most ambitious transformation projects and helps you bring out new ideas, new offers, new modes of collaboration, new ways of producing and selling.

CSS Engineering is involved in projects each customer as if it were his own. We believe a consulting company should be more than an advisor. We put ourselves in the place of our customers, to align we incentives to their goals, and collaborate to unlock the full potential their business. This establishes deep relationships and enjoyable.

Our services:

  1. Create professional websites
  2. Hosting high performance and unlimited
  3. Sale and video surveillance cameras installation
  4. Sale and Installation of security system and alarm
  5. E-Marketing

All our achievements here https://www.css-engineering.com/en/works/

LEAVE A REPLY

Please enter your comment!
Please enter your name here