Security researcher Troy Hunt reports on a security flaw that let attackers change the email address of Grindr accounts. All you had to do was know the account's current email address and trigger a password reset: the secret login URL was sent to the browser too, hidden in the code of the "check your email!" response page.
Full account takeover. What that means is access to everything the original Grindr account holder had access to …
This is one of the most basic account takeover techniques I've seen. I cannot fathom why the reset token – which should be a secret key – is returned in the response body of an anonymously issued request. The ease of exploit is unbelievably low and the impact is obviously significant, so clearly this is something to be taken seriously…
Except it wasn't.
Both the researcher who found the hack and Hunt tried without much success to get Grindr to listen to them, but Grindr only responded after he called them out on Twitter. And Scott Helme, who helped Hunt verify that the hack worked, says Grindr isn't providing evidence as to why it believes it was never exploited by malicious parties.
The hack's now fixed, Grindr says.
"As part of our commitment to improving the safety and security of our service, we are partnering with a leading security firm to simplify and improve the ability for security researchers to report issues such as these. In addition, we will soon announce a new bug bounty program to provide additional incentives for researchers to assist us in keeping our service secure going forward," the company said.
