Grindr, the world’s largest social networking app for Gay, Bi, Trans, and Queer people, contained a serious flaw in the authentication mechanism for users that allowed cyber criminals to change the passwords of Grindr users at will.
The security flaw was first discovered by security researcher Wassime Bouimadaghene who, after several failed attempts to elicit a response from Grindr, got in touch with well-known security geek Troy Hunt who finally managed to get Grindr to respond after one of his tweets went viral.
The security flaw was discovered within the mechanism used by Grindr to enable existing users to reset their passwords. After getting alerted by Bouimadaghene, Hunt got fellow security researcher Scott Helme, who is known for providing training on hacking and encryption, to create a new Grindr account.
Hunt then visited the Grindr password reset page, entered Helme’s email address that was used to set up the account, and noticed that Grindr sent the password reset key to the browser itself. By opening the developer tools on the browser, Hunt found both the key and Helme’s email address in the URL and used the key to reset the password of Helme’s Grindr account. Hunt termed this a “complete account takeover with a very trivial attack”.
“This is one of the most basic account takeover techniques I’ve seen. I cannot fathom why the reset token — which should be a secret key — is returned in the response body of an anonymously issued request. The ease of exploit is unbelievably low and the impact is obviously significant, so clearly, this is something to be taken seriously,” he said.
The security flaw was plugged quickly after Hunt got in touch with a member of Grindr’s security team, but not before publicly asking for ways to contact Grindr via Twitter. “I suggest the only reason their Twitter account publicly replied to me was because my tweet garnered a lot of interest,” he said.
“We are grateful for the researcher who identified a vulnerability. The reported issue has been fixed. Thankfully, we believe we addressed the issue before it was exploited by any malicious parties,” Grindr said in response.
“As part of our commitment to improving the safety and security of our service, we are partnering with a leading security firm to simplify and improve the ability for security researchers to report issues such as these. In addition, we will soon announce a new bug bounty programme to provide additional incentives for researchers to assist us in keeping our service secure going forward,” the company added.
Commenting on the security flaw discovered in Grindr, Martin Jartelius, CSO at Outpost24, said the exploit still requires an attacker to be aware of a victims email, meaning that if you are not known to be a user or if you used an anonymous email sign up which others do not know, you are at a lower risk, but still based on the nature of the application this can be very uncomfortable to users.
“Based on the implications for some users, it could even have posed a threat to security by leveraging information for extorting control. In March 2019 CFIUS Listed Chinese ownership of the application as a national security risk, what we see here is that ownership in and of itself was not the only risk, IT security of the application itself were and continued to be a risk as well,” he added.
If the Grindr website included the password reset key along with the associated email address, it is possible that hackers could use stolen email addresses, billions of which are readily available on Dark Web marketplaces, to carry out credential stuffing attacks and reset the passwords of Grindr accounts that were set up using email addresses later stolen or compromised by hackers.