[ad_1]
Grindr has fixed a security flaw that allowed password reset without access to the user’s email inbox, and said it will introduce a bug bounty program to simplify vulnerability reporting.
As security researcher Troy Hunt describes, the flaw was present on Grindr’s password reset site. After entering an email address and resolving a CAPTCHA, the site produced a message telling people to check their email for a link to reset their password. However, when opening the developer tools for that site, anyone could see the reset URL that was sent to the user; You don’t need access to your email inbox.
“This is one of the most basic account acquisition techniques I have seen,” Hunt writes. “I can’t understand why the reset tab …which should be a secret key—It is returned in the response body of a request issued anonymously. The ease of exploitation is incredibly low and the impact is obviously significant, so clearly this is something to be taken seriously. “
However, Hunt was investigating the issue because the investigator who first noticed the bug, Wassime Bouimadaghene, had trouble getting Grindr to answer his queries. Bouimadaghene contacted Hunt after receiving no response from Grindr, so Hunt teamed up with fellow security researcher Scott Helme, who created a Grindr account for Hunt to attempt to open. It worked.
“Also consider the extent of personal information Grindr collects, [which] it would be immediately visible to anyone accessing your account simply by knowing your email address, “writes Hunt.
Rick Marini, Grindr’s chief operating officer, tells TechCrunch that Grindr believes we “addressed the problem before it was exploited by malicious parties.”
Going forward, “we are partnering with a leading security company to simplify and enhance the ability of security investigators to report issues like these,” said Marini. “Additionally, we will soon announce a new bug bounty program to provide additional incentives for researchers to help us keep our service safe in the future.”
This isn’t the first user-related security issue to come up on Grindr – in 2018, Grindr shared users’ HIV status with third-party companies, and in 2016, a user’s location was surprisingly easy to identify on the application.
