web analytics

    A security flaw in Grindr let anyone easily hijack user accounts

    Grindr, a person of the world’s major relationship and social networking apps for gay, bi, trans, and queer folks, has fixed a security vulnerability that allowed any person to hijack and get manage of any user’s account utilizing only their email address.

    Wassime Bouimadaghene, a French stability researcher, observed the vulnerability and described the concern to Grindr. When he did not listen to back, Bouimadaghene shared information of the vulnerability with stability specialist Troy Hunt to support.

    The vulnerability was preset a quick time afterwards.

    Hunt examined and confirmed the vulnerability with assist from a check account set up by Scott Helme, and shared his findings with TechCrunch.

    Bouimadaghene located the vulnerability in how the application handles account password resets.

    To reset a password, Grindr sends the consumer an electronic mail with a clickable link that contains an account password reset token. As soon as clicked, the user can transform their password and is authorized back into their account.

    But Bouimadaghene uncovered that Grindr’s password reset website page was leaking password reset tokens to the browser. That meant everyone could bring about the password reset who had knowledge of a user’s registered electronic mail deal with, and obtain the password reset token from the browser if they understood in which to search.

    Top secret tokens applied to reset Grindr account passwords, which are only supposed to be despatched to a user’s inbox, ended up leaking to the browser. (Picture: Troy Hunt/provided)

    The clickable backlink that Grindr generates for a password reset is formatted the exact same way, meaning a malicious consumer could simply craft their own clickable password reset website link — the identical backlink that was despatched to the user’s inbox — making use of the leaked password reset token from the browser.

    With that crafted link, the malicious person can reset the account owner’s password and gain accessibility to their account and the private information saved within, like account images, messages, sexual orientation and HIV standing and last take a look at date.

    “This is one particular of the most basic account takeover tactics I’ve found,” Hunt wrote.

    With a leaked password reset token, an attacker could reset a user’s password, hijack their account and entry their private facts. (Picture: Troy Hunt/supplied)

    In a statement, Grindr’s main running officer Rick Marini instructed TechCrunch: “We are grateful for the researcher who recognized a vulnerability. The claimed issue has been mounted. Luckily, we consider we resolved the concern before it was exploited by any malicious parties.”

    “As element of our motivation to increasing the protection and safety of our assistance, we are partnering with a top protection organization to simplify and enhance the ability for safety scientists to report issues these kinds of as these. In addition, we will shortly announce a new bug bounty program to deliver supplemental incentives for scientists to support us in maintaining our company protected likely ahead,” the firm mentioned.

    Grindr has about 27 million customers, with about 3 million employing the application just about every day. Grindr was sold before this calendar year by its former Chinese owner, Beijing Kunlun, to a Los Angeles-primarily based company mentioned to be led mostly by Individuals, pursuing accusations that the company’s Chinese ownership constituted a national stability danger.

    Very last 12 months, it was claimed that whilst beneath Chinese ownership, Grindr authorized engineers in Beijing accessibility to the private knowledge of tens of millions of U.S. people, such as their non-public messages and HIV status.

    You can send tips securely above Sign and WhatsApp to +1 646-755-8849 or send out an encrypted e mail to: zack.whittaker@protonmail.com

    Recent Articles

    Apple’s Jeff Bigham, disability rights lawyer Haben Girma, author Sara Hendren and more to join Sight Tech Global

    The other working day we introduced the initially ten sessions for Sight Tech International, a virtual party Dec. 2-3 that is convening the...

    Daily Crunch: Apple seems pretty interested in search

    Apple could possibly be constructing a Google competitor, Audible adds far more podcasts and an advertisement measurement firm raises $350 million. This...

    Daily Crunch: Facebook launches cloud gaming service

    Facebook receives into cloud gaming even though continuing its community dispute with Apple, Ant Team prepares for a substantial IPO and Pinterest...

    Apple eyes the TikTok generation with an updated version of Clips

    Apple is right now rolling out an update to its online video generation application, Clips, which provides much-desired guidance for vertical videos,...

    Apple search crawler activity could signal a Google competitor, or a bid to make Siri a one-stop-shop

    Inspired by the spate of antitrust activity brewing in both the Justice Division and on Capitol Hill, Apple could be establishing a...

    Related Stories

    Stay on op - Ge the daily news in your inbox