Anyone can access your Grinder account due to a shameful security flaw


You would think that a dating app that knows your sexuality and HIV status would take every precaution to protect information, but Grinder has once again disappointed the world – this time, with a gobsome cking calling with extraordinary security vulnerabilities. Literally anyone who can guess your email address In your user account.

Fortunately, the French security researcher Wasim Bauimadag Weakness may be detected, perhaps before it is exploited, and it is now fixed.

Unsurprisingly for Grinder, the company ignored his ads – until security researcher Troy Hunt (Have I Been Pound) and journalist Zack Whitker (No. TechCrunch) Everyone confirmed the point and wrote about it.

The details need to be considered (so please see the image above) but the short version is this: if you put the email address in Grinder’s password reset form, it will send a message back to your web browser. You need to reset the password Buried inside it.

You can then theoretically copy and paste that key into the password reset URL (which Hunt did), and take the account into account.

Said Grinder COO Rick Marini TechCrunch That “we believe we considered this issue before it was exploited by any malicious parties,” and says Grinder will both partner with a “leading security company” and introduce a bug bounty program. This could mean that it will be an easy time to get in touch with security researchers like Beaumadag.

Again, this is not just an application that contains some messages. Grinder users include gay, bi, trans, and queer individuals, and the mere presence of an app on someone’s phone suggests something about their sexuality that they don’t disclose to the outside world. And yet this is the company that, along with other users, is monitoring its users’ HIV status.

That said, it will now be a slightly different company. This March, the company’s Chinese owners sold it to a group of U.S. investors, which also became Grinder’s new management. The COO cited by TechCrunch was an investor in the Marini Group. Second, Jeff Bonforte is the company’s new CEO.