A security researcher found a vulnerability in the Grindr dating app that is relatively simple to exploit. The flaw allowed anyone that guessed the email address of any Grindr account to take over that account. This exposed users of hijacked accounts to possible blackmail and identity theft. Grindr has since patched the bug.
Grindr is one of the world’s largest social networking and dating app for gay, bi, trans and queer people. The app has some 27 million registered users from all over the world, with roughly 4.5 million daily active users.
Grindr was developed by a Los Angeles-based company, which launched the app back in March 2009. However, the app raised security concerns when it was acquired by the Chinese video gaming giant Beijing Kunlun in 2016. As with other Chinese apps, the US stated that the Chinese ownership of the company constituted a national security threat. The US expressed concerns that the app’s data could be used by the Chinese government.
Then last year, the press reported that Grindr had allowed Beijing engineers to access millions of US users’ private data. Consequently, Beijing Kunlun was forced to sell the app to a US company, similarly to Chinese owned TikTok today. Since June 2019, Grindr is once again owned by a US firm.
The Vulnerability’s Discovery
The Grindr security vulnerability was discovered by French security researcher, Wassime Bouimadaghene, who reported the issue to Grindr via a helpdesk ticket. When the ticket was closed and the issue ignored, Bouimadaghene reported the issue to well-known independent security expert Troy Hunt.
Hunt tested the vulnerability identified by Bouimadaghene and confirmed that Grindr was leaking password reset tokens. The vulnerability lay in the way the app handled account password resets.
As with many other applications, to reset a password, Grindr sends users an email with a link. These links contain a password reset token that once clicked allows the user to change their password and get back into their account. However, Bouimadaghene found that Grindr’s online password reset page was leaking the token’s details to the browser.
Full Account Takeover: How it Worked
When users request a password reset, Grindr shows a page telling users to check their email for a reset link. The code behind this password reset response page returns a URL. This URL contains the token’s key and the email address to whom the token was sent. Consequently, anyone who knows how to access the code running behind the webpage could steal the reset token.
“This is one of the most basic account takeover techniques I’ve seen,” Hunt said in a blog describing the issue. “I cannot fathom why the reset token — which should be a secret key — is returned in the response body of an anonymously issued request,” he added.
To exploit this vulnerability and steal the reset token, all an attacker needed to do was:
- Create a Grindr account
- Correctly guess another Grindr user’s registered email address and enter it in the password reset page
- Once the password reset response page showed, open the browser’s development tools to view the page’s source code
- Copy the URL visible in the source code and paste it into the browser’s address bar
- Once the Reset Password page opened, enter a new password and click the Reset Password button
Extremely Personal Data up for Grabs
Once this was done, attackers would have had full access to the hijacked account and all personal data held within. Grindr accounts hold photos, messages, the user’s sexual orientation, as well as their HIV status and their last test date. This is extremely personal data, which could expose users of hijacked accounts to possible blackmail and identity theft.
Furthermore, once an attacker knew the format of the URL, they could craft new URLs to hijack other users’ accounts using the same token key. All the attacker needed was the email address of other Grindr users, and then swap these for the email address contained within the original URL.
Thus, an attacker could manually generate the unique link users would otherwise have only received via email. And finding email addresses to use would not have been difficult. Billions of stolen valid email addresses are readily available on the dark web. These could be used to carry out credential stuffing attacks to then reset Grindr account passwords.
Grindr’s Response: A New Bug Bounty Program
As well as Grindr not having a means to report vulnerabilities, its initial response to the vulnerability’s discovery was lacking. However, once the issue was put through to the security team, the vulnerability was fixed within the hour.
In a statement, Rick Marini, Grindr’s chief operating officer said “We are grateful for the researcher who identified a vulnerability. The reported issue has been fixed. Thankfully, we believe we addressed the issue before it was exploited by any malicious parties.”
In response to the criticism of its initial handling of the vulnerability’s discovery, Grindr announced that “As part of our commitment to improving the safety and security of our service, we are partnering with a leading security firm to simplify and improve the ability for security researchers to report issues such as these. In addition, we will soon announce a new bug bounty program to provide additional incentives for researchers to assist us in keeping our service secure going forward.”