Grindr vulnerability allowed account takeover attacks

Via TechCrunch

A fairly simple vulnerability would’ve allowed anyone with a Grindr user’s email address to reset their password and access their account.

The Issue

A security researcher contacted Grindr with a simple, yet devastating vulnerability tied to password resets. The vulnerability would’ve allowed anyone with a user’s email address to reset their password and access the account itself, giving them access to their messages, matches, photos, and more.

The vulnerability was exploitable when a password reset was requested. When that happened, a link is emailed to the corresponding email address (as is the case with almost every other service or tool). When the link is clicked on the email, you’re able to reset the password for that account. However, Grindr was leaking password reset link details within the browser itself, meaning a hacker could’ve pretended to be an account holder, reset the password using an existing email address, then recreate the password reset link.

This would allow them to reset a user’s password without ever receiving the password reset link via email.

Grindr has since (some time after being told about the vulnerability) fixed the issue and stated that no malicious parties accessed any accounts.

Your Move

This problem brings up the privacy risks apps and services inherently carry, particularly when it comes to sensitive data. Especially in countries where a Grindr user may face harassment or even legal repercussions, an account exposure may lead to serious problems or complications.

As the case should be whenever downloading an app or signing up for a service, you should be aware that there is a risk that your information is leaked via a hack, a vulnerability, or a data breach. If you want to reduce your risk of having your details or accounts exposed, you may want to use a different email or log-in information for your accounts or you can try this Google trick. That tip (adding “+anything” to an existing gmail account during sign-up) would’ve made it much harder for a hacker to get into your account with just email data.

For more information about the Grindr hack, check out the TechCrunch article here.

Show More
Back to top button