You’d think a dating app that knows your sexuality and HIV status would take careful precautions to keep that information secure, but Grindr has let the world down yet again, this time, with an incredibly egregious security vulnerability that it could have. to leave literally anyone who can guess your email address in your user account.
Fortunately, French security researcher Wassime Bouimadaghene discovered the vulnerability, perhaps before it could be exploited, and it has now been fixed.
Unfortunately for Grindr, the company ignored his revelations ̵
The details have to be seen to be believed (so see the image above) but the short version is this: if you enter an email address in Grindr’s password reset form, it would send a message to your web browser with the key needed to reset the password buried inside.
You could then theoretically copy and paste that key into a password reset URL (which Hunt did) and take control of an account just like that.
Grindr COO Rick Marini said so TechCrunch that “we believe we have fixed the problem before it was exploited by any malicious party” and states that Grindr will partner with a “leading security company” and introduce a bug bounty program. Hopefully this means that security researchers like Bouimadaghene will have a harder time getting in touch.
Again, this isn’t just an app that holds a few messages. Grindr users include gay, bisexual, trans and queer individuals, and the mere presence of the app on a person’s phone can indicate something about their sexuality that they may not want to reveal to the outside world. Yet this is the company that was caught sharing its users’ HIV status with other companies and sharing other personal information with third-party advertisers.
That said, it may be a slightly different company now. Last March, the Chinese owners of the company sold it to a group of US investors, who also became Grindr’s new management. Marini, the COO quoted by TechCrunch, was one of the group’s investors. Another, Jeff Bonforte, is the new CEO of the company.