Grindr has a security vulnerability that could have let anyone who could guess your email address into your user account. Grindr’s security vulnerability could have allowed anyone who knew your email addresses into your account account.
French security researcher wassime bouimadaghene discovered the vulnerability before it could be exploited. It’s now been fixed.
The company ignored Grindr’s disclosures. Security researcher Troy hunt and journalist Zack Whittaker each confirmed the issue and wrote about it.
If you put an email address into Grindr’s password reset form, it would send a message back to your web browser with the key you need to reset the password buried inside it.
You could then just copy and paste that key into a password reset URL, and take over an account just like that. You can then then take over a account like that, and then take an account that like that.
Grindr COO Rick Marini said that’we believe we addressed the issue before it was exploited by any malicious parties’. That should mean security researchers like bouimadaghene will have an easier time getting in touch with a’leading security firm’.
Grindr users include gay, BI, trans and queer individuals. The presence of the app on a person’s phone can indicate something about their sexuality they may not want revealed to the outside world.