A Grindr vulnerability permitted anyone who understands a user’s email address to quickly reset their code and hijack their account. All a poor actor needed to do was type in a user’s email address in the code reset site and then pop open the dev tools to have the reset token. With the addition of that token to the finish of the code reset URL, they won’t also require to get into the victim’s inbox — that’s the specific URL sent to the user’s e-mail anyway. It masses the site where they could insight a fresh code, providing them with a way to ultimately dominate the victim’s account.
A French security researcher named Wassime Bouimadaghene found the flaw and attempted to report it to the dating service. When help closed his solution and he didn’t hear right back, he asked for support from security expert Troy Search who worked with still another security expert (Scott Helme) to set up an examination account and make sure the vulnerability does exist.
Search, who named the issue “one of the most standard account takeover techniques” he’s ever observed, got touching Grindr’s security team immediately by publishing a call for their contact information on Twitter.
While Grindr rapidly repaired the issue after reading from Search, the event underscored the platform’s disadvantages as it pertains to security. And that is a huge problem once the dating application suits people whose sexual orientations and identities could make them a target for harassment and violence.
This is not the initial security issue Grindr has received to offer. In 2023, it had several flaws that risked revealing a user’s location. Early in the day this year, the Norwegian Customer Council printed a report accusing Grindr and other dating companies of spreading painful and sensitive data, such as GPS locations.
Grindr main running officer Rick Marini told TechCrunch that in reaction to the discovery of this specific flaw, it’s using additional steps to tighten its security measures. It’s which makes it easier for experts to report security issues, and it vows to declare a fresh insect bounty plan “soon.”