Grindr Vulnerability Allowed Hackers to Reset Accounts' Passwords and Take Over Accounts

A significant Grindr vulnerability was discovered in September 2020. The security issue allowed bad actors to take over a user's Grind account if they simply knew the user's e-mail address.

The adult-oriented social network had a very significant issue with security. A hacker only needed a user e-mail address to crack an account open. Feeding the e-mail into the "Find your account" page of the service - the equivalent of an "I forgot my password" form, brought up a bot check Captcha form, then showed a message that a password reset e-mail had been sent. However, opening the browser's dev tools, a simple keypress in Chrome, brought up the internal Grindr password reset token, right there, in the page's code.

Having the user's e-mail address combined with the password reset token was enough to give bad actors access to the actual password request that is linked in the e-mail sent by the service. From this point on, changing the password and taking over the account is child's play.

Logging into the hacked account using the newly created password brought up a pop-up telling the user to confirm the login through the mobile app. If you think this is two-factor verification linked to your phone number, it isn't. Security researcher Troy Hunt, who conducted this small experiment in white hat fashion and exposed the vulnerability with the assistance of a couple of his colleagues, simply logged into the freshly hijacked account from his own mobile, using the newly changed password and the e-mail address and that was it - the account was his to do with as he pleased.

Hunt actually stated the vulnerability was among "the most basic account takeover techniques" he had ever come across in his years of work. Thankfully, after some initial hurdles contacting Grindr representatives on Twitter and creating a bit of a stir with a public tweet about the vulnerability, Hunt managed to get in touch with the platform's security team. The vulnerability has since been fixed by Grindr's developers.

Grindr Steps in With a Fix

Grindr representatives stated that the issue was discovered and patched out before any bad actors were able to abuse it. The social platform further announced its plans to launch a new bug hunting bounty program in the foreseeable future.

This incident shows that sometimes, no matter how secure your password is and no matter how invested you are in your personal cybersecurity, sometimes the fate of your information and accounts is simply not in your hands and you can do little about an attack vector similar to the one discovered with Grindr's vulnerability.

Of course, this does not mean that you should be neglectful or careless. In similar attacks that don't involve the user in any way, your best bet is to use a platform's two-factor authentication and secure your account with it as soon as it becomes available, if it isn't already.

By Zaib
October 6, 2020
Password Security
English
October 6, 2020
Password Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

How To

How to Enable Windows to Remember Your Accounts and Passwords Automatically

Your average Windows user visits a bunch of online sites that necessitate a username and password for authentication. We generally recommend that you use different passwords for different places but, with so many... Read more

May 10, 2019
Password Security

Overcoming the Challenge of Protecting Your Accounts With Strong Passwords

Securing your online accounts with complex passwords. How hard can it be? Those of you who know that a three-and-a-half-inch floppy disk isn't, in fact, a 3-D printed copy of the Save icon might also remember the... Read more

April 4, 2018
News

The Usernames and Passwords of 15 Billion Accounts Have Been Exposed

Your login credentials can get compromised. You can fall victim to a phishing scam, the service provider you're using may suffer a data breach, and if your passwords are not strong enough, cybercriminals could have no... Read more

July 9, 2020
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.