news

Grindr security flaw which allowed hackers to hijack profiles exposed

The hack meant someone could access pictures, messages and details with just an email address.

2020-10-05

A Grindr vulnerability which allowed potential hackers access to people’s accounts with their valid email address, it has been revealed.

The hack - now corrected - allowed access to various data belonging to the user, including messages, pictures, sexual orientation and HIV status.

The glitch was discovered by French security researcher Wassime Bouimadaghene, who turned to security expert Troy Hunt for help. They took their research to TechCrunch.

According to the publication, Bouimadaghene reported the issue to Grindr but didn’t hear back - although the glitch was fixed a short time later.

The hack involved emailed account password resets, and password reset tokens that were then leaked to the browser.

 
 
 
View this post on Instagram

our eggplant carried a LOTTA LOADS yesterday 💦 thanks to everyone who sat on it at @folsomstreetevents ⛓🔒 #GrindrxFolsom

A post shared by Grindr (@grindr) on

 

In a statement, Grindr’s chief operating officer Rick Marini told TechCrunch: “We are grateful for the researcher who identified a vulnerability. The reported issue has been fixed.

“Thankfully, we believe we addressed the issue before it was exploited by any malicious parties.”

A company rep added: "As part of our commitment to improving the safety and security of our service, we are partnering with a leading security firm to simplify and improve the ability for security researchers to report issues such as these. In addition, we will soon announce a new bug bounty program to provide additional incentives for researchers to assist us in keeping our service secure going forward."

Grindr - which announced removal of ethnicity filters on the app earlier this year - has amassed over 27 million users since it launched in 2009.

Attitude has approached Grindr for comment.