Grindr Promises Bug Bounty Program After Patching Password-Reset Flaw

(CHRIS DELMAS/AFP via Getty Images)

Grindr has fixed a security flaw that allowed for password resets without access to a user’s email inbox, and said it will introduce a bug bounty program to simplify vulnerability reporting.

As security researcher Troy Hunt outlines, the flaw was present on Grindr’s password reset site. After entering an email address and solving a CAPTCHA, the site produced a message that told people to check their email for a password reset link. Opening up the dev tools of that site, however, anyone could view the reset URL that was sent to the user; no access to their email inbox necessary.

“This is one of the most basic account takeover techniques I’ve seen,” Hunt writes. “I cannot fathom why the reset token—which should be a secret key—is returned in the response body of an anonymously issued request. The ease of exploit is unbelievably low and the impact is obviously significant, so clearly this is something to be taken seriously.”

Hunt was investigating the issue, however, because the researcher who first noticed the bug, Wassime Bouimadaghene, had trouble getting Grindr to respond to his queries. Bouimadaghene contacted Hunt after receiving no response from Grindr, so Hunt teamed up with fellow security researcher Scott Helme, who created a Grindr account for Hunt to try to crack. It worked.

“Consider also the extent of personal information Grindr collects, [which] would immediately be on display to anyone who accessed his account simply by knowing his email address,” Hunt writes.

Rick Marini, Grindr’s chief operating officer, tells TechCrunch that Grindr believes “we addressed the issue before it was exploited by any malicious parties.”

Going forward, “we are partnering with a leading security firm to simplify and improve the ability for security researchers to report issues such as these,” Marini said. “In addition, we will soon announce a new bug bounty program to provide additional incentives for researchers to assist us in keeping our service secure going forward.”

This isn’t the first user-related security issue that has come up on Grindr: In 2018, Grindr shared users’ HIV status with third-party firms and back in 2016, a user’s location was surprisingly easy to pinpoint on the app.

Further Reading

Dating Reviews

Source link