A serious security vulnerability in Grindr, the most popular dating app for gay, bi, trans, and queer people, has been discovered, which could have allowed anyone to infiltrate and take over a Grindr account simply by knowing the account holder’s email address.

As well as making it easy for bad actors to impersonate other people, the vulnerability would have given them easy access to potentially highly sensitive information, including the user’s HIV status, intimate pictures, dating history and sexual orientation.

In a blog post explaining how the vulnerability could be exploited, security researcher Troy Hunt described it as “one of the most basic account takeover techniques I’ve seen,” adding that “the ease of exploit is unbelievably low and the impact is obviously significant.”

He flagged the security flaw to Grindr after being tipped off by French security researcher Wassime Bouimadaghene, who had repeatedly tried to warn the company about it, only for his messages to fall on deaf ears.

Grindr has now fixed the issue, and says it doesn’t believe the vulnerability was exploited by anyone.

Bouimadaghene had discovered it was possible to take over a Grindr account simply by entering the email address associated with the account into the Grindr password reset tool.

As well as sending a clickable link with password reset token to that email address, Grindr had been leaking the token within the browser, and Bouimadaghene worked out that he could use that to reset the password on any account, without needing to access the user’s email.

Once the password associated with an account was reset, he could easily set a new password and completely take over the account. Troy Hunt confirmed this was the case.

“We are grateful for the researcher who identified a vulnerability. The reported issue has been fixed. Thankfully, we believe we addressed the issue before it was exploited by any malicious parties,” Grindr’s chief operating officer Rick Marini told TechCrunch.

“As part of our commitment to improving the safety and security of our service, we are partnering with a leading security firm to simplify and improve the ability for security researchers to report issues such as these. In addition, we will soon announce a new bug bounty program to provide additional incentives for researchers to assist us in keeping our service secure going forward.”

Grindr doesn’t have the greatest track record with matters of security. In 2018 it was revealed that it had been sharing users’ HIV status and test dates with other companies.

Sign-up to our daily newsletter for more articles like this + access to 5 extra articles

See why nearly a quarter of a million subscribers begin their day with the Starting 5.

Source: https://www.newsweek.com/grindr-security-flaw-reset-password-take-over-account-1536571

Grindr, Computer security, Vulnerability, User

World news – GB – Enormous Grindr security flaw could have let anyone reset your password and take over your account

En s’appuyant sur ses expertises dans les domaines du digital, des technologies et des process , CSS Engineering vous accompagne dans vos chantiers de transformation les plus ambitieux et vous aide à faire émerger de nouvelles idées, de nouvelles offres, de nouveaux modes de collaboration, de nouvelles manières de produire et de vendre.

CSS Engineering s’implique dans les projets de chaque client comme si c’était les siens. Nous croyons qu’une société de conseil devrait être plus que d’un conseiller. Nous nous mettons à la place de nos clients, pour aligner nos incitations à leurs objectifs, et collaborer pour débloquer le plein potentiel de leur entreprise. Cela établit des relations profondes et agréables.

Nos services:

  1. Création des sites web professionnels
  2. Hébergement web haute performance et illimité
  3. Vente et installation des caméras de vidéo surveillance
  4. Vente et installation des système de sécurité et d’alarme
  5. E-Marketing

Toutes nos réalisations ici https://www.css-engineering.com/en/works/

LEAVE A REPLY

Please enter your comment!
Please enter your name here