A major security flaw affecting the dating app Grindr allowed attackers to potentially take over any user’s account, provided they knew or could guess the email address associated with it.
The vulnerability enabled a complete account takeover using a trivial attack which only requires that the attacker enter a valid email address for the targeted account.
It has since been fixed, but Hunt noted the nature of the access to sensitive information potentially provided to attackers was concerning.
All the attacker needed to do to begin this attack was to visit the Grindr password reset page, where they would enter the email address of the target’s account.
After the captcha is completed on this page, a notification is shown stating that a password reset link has been emailed to the user.
However, inspecting the response using browser development tools revealed the password reset token, which could be pasted into the reset URL without needing to access the password reset email.
The attacker could then reset the user’s password and use the new credentials to log in to the user’s Grindr account through the mobile app.
The information which was exposed through this vulnerability include fields such as age, weight, ethnicity, HIV status, and more.
Private messages and other sensitive information such as images would also be exposed due to the complete takeover of the victim’s account by an attacker.
Grindr has since fixed this vulnerability, stating they believe the issue was addressed before it could be exploited by attackers.
“As part of our commitment to improving the safety and security of our service, we are partnering with a leading security firm to simplify and improve the ability for security researchers to report issues such as these,” the company told TechCrunch.
“In addition, we will soon announce a new bug bounty program to provide additional incentives for researchers to assist us in keeping our service secure going forward.”