Grindr Promises Bug Bounty Program After Patching Password-Reset Flaw

(CHRIS DELMAS/AFP via Getty Images)

Grindr has fixed a security flaw that allowed for password resets without access to a user’s email inbox, and said it will introduce a bug bounty program to simplify vulnerability reporting.

As security researcher Troy Hunt outlines, the flaw was present on Grindr’s password reset site. After entering an email address and solving a CAPTCHA, the site produced a message that told people to check their email for a password reset link. Opening up the dev tools of that site, however, anyone could view the reset URL that was sent to the user; no access to their email inbox necessary.

“This is one of the most basic account takeover techniques I’ve seen,” Hunt writes. “I cannot fathom why the reset token——is returned in the response body of an anonymously issued request. The ease of exploit is unbelievably low and the impact is obviously significant, so clearly this is something to be taken seriously.”

Hunt was investigating the issue, however, because the researcher who first noticed the bug, Wassime Bouimadaghene, had trouble getting Grindr to respond to his queries. Bouimadaghene contacted Hunt after receiving no response from Grindr, so Hunt teamed up with fellow security researcher Scott Helme, who created a Grindr account for Hunt to try to crack. It worked.

“Consider also the extent of personal information Grindr collects, [which] would immediately be on display to anyone who accessed his account simply by knowing his email address,” Hunt writes.

Rick Marini, Grindr’s chief operating officer, tells TechCrunch that Grindr believes “we addressed the issue before it was exploited by any malicious parties.”

Going forward, “we are partnering with a leading security firm to simplify and improve the ability for security researchers to report issues such as these,” Marini said. “In addition, we will soon announce a new bug bounty program to provide additional incentives for researchers to assist us in keeping our service secure going forward.”

This isn’t the first user-related security issue that has come up on Grindr: In 2018, Grindr shared users’ HIV status with third-party firms and back in 2016, a user’s location was surprisingly easy to pinpoint on the app

Recent Articles

Meizu Watch to open a new chapter in the smartwatch industry – see you in Q4 2020

A few months ago, Meizu officially announced that it will release the “Flyme for Watch” system in Q4 2020. The Flyme OS is Meizu’s...

Hot Exoplanet Smaller than Earth Found Orbiting Nearby Red Dwarf | Astronomy

An international team of astronomers has discovered a hot terrestrial planet orbiting the rapidly-rotating low-mass star TOI-540. An artist’s impression of the hot rocky exoplanet...

Universal Pushes Jurassic World: Dominion To June 2022

Jurassic World: Dominion has been delayed by Universal due to the ongoing Coronavirus pandemic. After Regal and Cinemark made the decision to close their doors...

India approves Apple partners and Samsung for $143 billion smartphone manufacturing plan – TechCrunch

Samsung and three major contract manufacturing partners of Apple are among 16 firms to win $6.65 billion incentives under India’s federal plan to...

Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Stay on op - Ge the daily news in your inbox