A Security Flaw In Grindr Let Anyone Easily Hijack User Accounts (techcrunch.com) 11
Grindr, one of the world's largest dating and social networking apps for gay, bi, trans, and queer people, has fixed a security vulnerability that allowed anyone to hijack and take control of any user's account using only their email address. TechCrunch reports: Wassime Bouimadaghene, a French security researcher, found the vulnerability and reported the issue to Grindr. When he didn't hear back, Bouimadaghene shared details of the vulnerability with security expert Troy Hunt to help. The vulnerability was fixed a short time later. Bouimadaghene found the vulnerability in how the app handles account password resets.
To reset a password, Grindr sends the user an email with a clickable link containing an account password reset token. Once clicked, the user can change their password and is allowed back into their account. But Bouimadaghene found that Grindr's password reset page was leaking password reset tokens to the browser. That meant anyone could trigger the password reset who had knowledge of a user's registered email address, and collect the password reset token from the browser if they knew where to look.
The clickable link that Grindr generates for a password reset is formatted the same way, meaning a malicious user could easily craft their own clickable password reset link -- the same link that was sent to the user's inbox -- using the leaked password reset token from the browser. With that crafted link, the malicious user can reset the account owner's password and gain access to their account and the personal data stored within, including account photos, messages, sexual orientation and HIV status and last test date.
To reset a password, Grindr sends the user an email with a clickable link containing an account password reset token. Once clicked, the user can change their password and is allowed back into their account. But Bouimadaghene found that Grindr's password reset page was leaking password reset tokens to the browser. That meant anyone could trigger the password reset who had knowledge of a user's registered email address, and collect the password reset token from the browser if they knew where to look.
The clickable link that Grindr generates for a password reset is formatted the same way, meaning a malicious user could easily craft their own clickable password reset link -- the same link that was sent to the user's inbox -- using the leaked password reset token from the browser. With that crafted link, the malicious user can reset the account owner's password and gain access to their account and the personal data stored within, including account photos, messages, sexual orientation and HIV status and last test date.
Bug name suggestion (Score:5, Funny)
No biggie... (Score:1)
The people using this site are looking to get backdoored, so what's the problem here?
"That's not a bug, it's a feature!"
"Got what I came here for. Would come again. A++"
Re: No biggie... (Score:2)
Re: (Score:2)
"Would come again."
Also on-topic.
Re: (Score:2)
I guess the Grindr IT team will have to take a long, hard look at their source code, and ensure there aren't even any pinholes in their data protection (perhaps by some automatic electronic mechanism). It sounds like they may also want to explore some third-party penetration testing with a trusted partner. As much as it makes it harder on the other users of the system, we all know security is one of the areas to be anal about, as even one leak can cause a permanent stain on one's reputation.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
What she said. (Score:2)
Clueless developers (Score:2)
How come this reset token is available in the frontend of an application? I can't figure out any scenario where it makes sense or even helps cut corners.
I guess the full-stack-devops-l33t-k00l-kid who implemented this also does all input validation in the frontend.