Critical Grindr Account Takeover Bug Rings Alarm Bells
Security researchers have discovered a critical account takeover vulnerability in gay dating app Grindr, which could have exposed users to blackmail and identity theft.
The app is said to have around 27 million global users today, and stores highly sensitive information in users’ accounts, including messages with other users, photos, sexual orientation and HIV status.
That’s one of the reasons its ownership by Chinese firm Kunlun was considered a national security risk and a forced sale to a US company ensued.
Security expert Troy Hunt discovered the Grindr flaw after being tipped off by researcher Wassime Bouimadaghene, who had not received a response from its parent company.
After taking a look, he discovered that when a user requests a password reset, Grindr sends the reset token to their browser in its response.
This means an attacker with knowledge of the email used by a targeted user to register with the site could hijack that individual’s account — simply by copying and pasting the token into a password reset URL.
Once the app’s password had been reset, Hunt was also able to access the same account on the website version.
“This is one of the most basic account takeover techniques I've seen,” he argued.
“I cannot fathom why the reset token — which should be a secret key — is returned in the response body of an anonymously issued request. The ease of exploit is unbelievably low and the impact is obviously significant, so clearly this is something to be taken seriously.”
Hunt also found Grindr’s vulnerability management response and triage to be found wanting, although once he finally got through to the firm’s security team the issue was mitigated within the hour.
Grindr said in response that it will be launching a new bug bounty program going forward, and is partnering with a “leading security firm” to make it easier for researchers to report issues they find with the app.