The popular LGBT+ hook-up app Grindr has fixed a glaring security flaw that allowed hackers to take over any account if they knew the user’s registered email address, TechCrunch reports.
Wassime Bouimadaghene, a French security researcher, originally uncovered the vulnerability in September. But after he shared his discovery with Grindr and was met with radio silence, he decided to team up with Australian security expert Troy Hunt, a regional director at Microsoft and the creator of the world’s largest database of stolen usernames and passwords, Have I Been Pwned?, to draw attention to an issue that put Grindr’s more than 3 million daily active users at risk.
Hunt shared these findings with the outlet and on his website Friday, explaining that the problem stemmed from Grindr’s process for letting users reset their passwords. Like many social media sites,
Grindr, one of the world’s largest dating and social networking apps for gay, bi, trans, and queer people, has fixed a security vulnerability that allowed anyone to hijack and take control of any user’s account using only their email address.
Wassime Bouimadaghene, a French security researcher, found the vulnerability and reported the issue to Grindr. When he didn’t hear back, Bouimadaghene shared details of the vulnerability with security expert Troy Hunt to help.
The vulnerability was fixed a short time later.
Hunt tested and confirmed the vulnerability with help from a test account set up by Scott Helme, and shared his findings with TechCrunch.
Bouimadaghene found the vulnerability in how the app handles account password resets.
To reset a password, Grindr sends the user an email with a clickable link containing an account password reset token. Once clicked, the user can change their password and is allowed back into