Users of dating app Grindr have been warned to ensure their accounts are secure following the disclosure of a potentially dangerous security flaw.
Researchers discovered that attackers could be able to hijack a user’s account without using a password, with only an email address required to gain access.
Grindr is one of the world largest dating apps, allowing gay, lesbian, bisexual and trans users to chat and meet.
The flaw was discovered by French security researcher Wassime Bouimadaghene, who teamed up with security expert Troy Hunt after Grindr failed to respond to his original alert.
The issue concerned how the Grindr app dealt with requests from users to change their account passwords. The app would send out an email to users containing an account password reset token, which when clicked, allowed them to change their password and re-enter their account.
However the password reset page was leaking these tokens to the browser, meaning anyone who knew a user’s account email address could request a password reset. Hackers could have used this system to form their own malicious password reset link using these leaked tokens, resetting a user’s password without them knowing, giving access to an account and the personal information included within.
Grindr says it has now fixed the issue, which it says was addressed before it could be exploited, and thanked Bouimadaghene for his work. There’s no suggestion any user accounts were affected, but users should ensure they have a strong password in place anyway.
“This is a reminder for organisations to constantly check for vulnerabilities, whether it is leaking password tokens, a back door left open, or anything in between,” noted Jake Moore, Cybersecurity Specialist at ESET.
“Internal security researchers and threat hunters may not always seem a proactive way of spending money, but the safest way to keep on top of business protection is to continually try to discover vulnerabilities before bad actors find and exploit them.”
Grindr was previously named as one of a series of popular dating apps recently found to be leaking user information, along with the likes of Tinder and OKCupid, which were found to be collectively sharing users’ personal information with at least 135 companies.