Grindr password reset security flaw leaves accounts exposed


A security vulnerability in Grindr could allow anyone who knows a users email address to access app accounts.


As reported by TechCrunchs Zack Whitaker, the flaw was discovered by French security researcher Wassime Bouimadaghene, who reported it to Grindr, only for his reports to be ignored by the company.


Bouimadaghene then reached out to Troy Hunt, a fellow researcher and the founder of the website Have I Been Pwned, which allows users to check whether their email has been exposed in security breaches.


Hunt then verified that Grindr accounts could easily be compromised by copying and pasting code from the websites password reset page, meaning anyone that knew where to look could easily hijack accounts on the app.


In a statement, chief operating officer of Grindr Rick Marini said: We are grateful for the researcher who identified a vulnerability. The reported issue has been fixed. Thankfully, we believe we addressed the issue before it was exploited by any malicious parties.


The company has also said it will partner with security researchers to create a more simplified system for people to report vulnerabilities in the apps security. It has also said it will soon announce a bug bounty program to provide additional incentives for researchers to assist us in keeping our service secure going forward.


Grindr is one of the worlds most popular dating apps in general, and is, according to Grindr itself, the worlds largest dating app for gay, bi, trans and queer people.


Given that LGBT people experience serious targeted discrimination and harassment around the world, even having an account on the app can prove sensitive and potentially endangering information.


In 2014, Egyptian police were found to be using Grindr and other social media to trap gay people. In Egypt, public homosexual acts are illegal, though homosexuality itself technically is not.