Anyone with the account’s email address could reset the user’s password and take over a profile.
A hack into Grindr app security made it possible for anyone with the email address associated with a valid account to simply reset the password and gain full control over the profile.
The vulnerability was revealed online by security experts who reported it to the application.
The Grindr app security problem was reported to the owners of the application. The vulnerability made it possible to gain full access to an individual’s account in the LGBT dating app, including messages, images and HIV status.
“Thankfully, we believe we addressed the issue before it was exploited by any malicious parties,” said a statement released by the application. This suggests that the vulnerability has been fixed or patched and that it is no longer possible to take over accounts using the aforementioned methods.
The flaw was initially detected by Wassime Bouimadaghene, a French security researcher. It was originally documented by Scott Helme and Troy Hunt, security experts.
The Grinder app security flaw was extremely simple to abuse and could have been devastating.
The now-repaired flaw made it exceptionally simple for a hacker to take over an account. All they would need to do is enter the email address of the target on the password reset page. This caused a link to be emailed to the owner prompting a password change. Though that is a typical process, what made this one different was that the URL could also be found within the website’s code.
This made it easy for the hacker to pluck that URL out of the code, enter it into a new page and reset the account password before the genuine user could do anything about it.
At that point, the hacker gained full control over the account, including all personal data stored within. The hacker would have full access to messages, photos, sexual orientation, HIV status and even the last date that the user had an HIV test.
“We are grateful to the researcher who identified a vulnerability,” said Rick Marini, Grindr chief operating officer, confirming that: “The reported issue has been fixed.”
Marini also pointed out that the company was actively working to ensure strong Grindr app security by improving the reporting procedure as well as the incentives for security researchers to identify and report such issues.