A particularly egregious security flaw was discovered in dating app Grindr by a French security researcher before it was quickly patched by the developer so if you happen to be using Grindr, update your app.
The security flaw would’ve allowed an attacker to hijack a user’s account with little more than their email address. The flaw was discovered by Wassime Bouimadaghene according to Engadget.
As recreated by Troy Hunt, the Grindr website would generate a rest-password token in a browser window when a user requested a password reset. This token is meant to be emailed to a user but there it was, visible in the dev tools.
All it took was a copy and paste that token onto Grindr’s password reset URL and an attacker would have full control of a user’s account.
This means changing password, account details and even accessing private data.
According to Hunt, Grindr dragged its feet in addressing this security flaw but the good news is that it eventually patched the problem.
“We are grateful for the researcher who identified a vulnerability. The reported issue has been fixed. Thankfully, we believe we addressed the issue before it was exploited by any malicious parties,” chief operating officer at Grindr, Rick Marini told Tech Crunch.
“As part of our commitment to improving the safety and security of our service, we are partnering with a leading security firm to simplify and improve the ability for security researchers to report issues such as these. In addition, we will soon announce a new bug bounty program to provide additional incentives for researchers to assist us in keeping our service secure going forward,” the COO added.