Sunday, October 4, 2020

A shameful security flaw could have let anyone access your Grindr account

A shameful security flaw could have let anyone access your Grindr account
..

You would anticipate a dating app that knows your female and HIV status would take total precautions to pension that info protected, however Grindr has disappointed the world already anew -- this time, with a gobsmackingly flagrant aegis vulnerability that could hypothesize let literally anyone who could guess your email address into your user account.

Luckily, French aegis researcher Wassime Bouimadaghene discovered the vulnerability, conceivably before it could be exploited, and it's now been fixed.

Unluckily for Grindr, the company immoral his disclosures -- until aegis researcher Troy Chimney (of Have I Been Pwned) and journalist Zack Whittaker (of TechCrunch) holiday confirmed the issue and wrote approximately it.

..
.. . . . .. . . .. . .
.

The divisions permeate to be seen to be believed (so satisfy squint at the loveling above) however the snip adaptation is this: if you put an email birdcage into Grindr's password reset form, it would send a message inadvertently to your web browser with the key you hypothesize to reset the password cached central it.

You could then apparently neutral reprinting and plaster that key into a password reset URL (which Chimney did), and take over an alibi neutral like that.

Grindr COO Rick Marini told TechCrunch that "we believe we addressed the issue before it was money-making by any nasty parties," and says Grindr will both accomplice with a "leading aegis firm" and lessons a bug coverage program. That should hopefully mean aegis scholars like Bouimadaghene will hypothesize an easier time getting in touch.

Again, this isn't neutral an app that contains a few messages. Grindr users include gay, bi, trans and queer individuals, and the peeled presence of the app on a person's phone can outrank something approximately their female they may not appetite revealed to the outside world. And yet this is the company that was hard-core sharing its users' HIV status to over-and-above companies, and sharing other claimed info to third-party advertisers.

That said, it might be a slightly contrasted company now. This March, the company's Chinese owners sold it to a pile of US investors, who conjointly became Grindr's new management. Marini, the COO quoted by TechCrunch, was among among one of the investors in the group. Another, Jeff Bonforte, is the company's new CEO.

No comments:

Post a Comment