Grindr Vulnerability Allowed Hackers to Reset Accounts' Passwords and Take Over Accounts

A significant Grindr vulnerability was discovered in September 2020. The security issue allowed bad actors to take over a user's Grind account if they simply knew the user's e-mail address.

The adult-oriented social network had a very significant issue with security. A hacker only needed a user e-mail address to crack an account open. Feeding the e-mail into the "Find your account" page of the service - the equivalent of an "I forgot my password" form, brought up a bot check Captcha form, then showed a message that a password reset e-mail had been sent. However, opening the browser's dev tools, a simple keypress in Chrome, brought up the internal Grindr password reset token, right there, in the page's code.

Having the user's e-mail address combined with the password reset token was enough to give bad actors access to the actual password request that is linked in the e-mail sent by the service. From this point on, changing the password and taking over the account is child's play.

Logging into the hacked account using the newly created password brought up a pop-up telling the user to confirm the login through the mobile app. If you think this is two-factor verification linked to your phone number, it isn't. Security researcher Troy Hunt, who conducted this small experiment in white hat fashion and exposed the vulnerability with the assistance of a couple of his colleagues, simply logged into the freshly hijacked account from his own mobile, using the newly changed password and the e-mail address and that was it - the account was his to do with as he pleased.

Hunt actually stated the vulnerability was among "the most basic account takeover techniques" he had ever come across in his years of work. Thankfully, after some initial hurdles contacting Grindr representatives on Twitter and creating a bit of a stir with a public tweet about the vulnerability, Hunt managed to get in touch with the platform's security team. The vulnerability has since been fixed by Grindr's developers.

Grindr Steps in With a Fix

Grindr representatives stated that the issue was discovered and patched out before any bad actors were able to abuse it. The social platform further announced its plans to launch a new bug hunting bounty program in the foreseeable future.

This incident shows that sometimes, no matter how secure your password is and no matter how invested you are in your personal cybersecurity, sometimes the fate of your information and accounts is simply not in your hands and you can do little about an attack vector similar to the one discovered with Grindr's vulnerability.

Of course, this does not mean that you should be neglectful or careless. In similar attacks that don't involve the user in any way, your best bet is to use a platform's two-factor authentication and secure your account with it as soon as it becomes available, if it isn't already.

October 6, 2020

Leave a Reply