Grindr to launch bug bounty scheme after recent security flaw

6 Oct 2020

Image: © dennizn/Stock.adobe.com

After a serious vulnerability was discovered, dating platform Grindr has announced plans to launch a bug bounty programme to improve the safety and security of its app.

Grindr, a popular dating and social networking app for gay, bi, trans and queer people, has announced plans to introduce a bug bounty programme to deal with potential privacy and security risks.

The announcement comes after French security researcher, Wassime Bouimadaghene, spotted a vulnerability that enabled password resets without access to a user’s inbox. According to TechCrunch, Bouimadaghene reported the issue to Grindr and received no response.

The French researcher then reached out to cybersecurity expert Troy Hunt, who tested and confirmed the vulnerability before sharing details with TechCrunch. Hunt is the creator of HaveIBeenPwned.com, which is a platform that allows internet users to check whether their personal data has been compromised by data breaches.

After Hunt’s involvement, Grindr released a statement noting that the security flaw has now been fixed.

The vulnerability

Bouimadaghene discovered that Grindr was handling password resets in a peculiar way. Like many other platforms, Grindr sends users emails with a link containing an account password reset token, which allows a user to change their password and regain access to their account.

However, Hunt outlined the problem in a blog post, which existed on Grindr’s password reset page. Once a registered email address was entered on the reset page, any user could open up the dev tools for the web page to view the reset URL that was sent to the user, which could have enabled hackers to bypass a Grindr user’s email inbox.

Hunt commented: “This is one of the most basic account takeover techniques I’ve seen.”

Hunt noted that by its nature, Grindr profiles hold extremely sensitive information about the platform’s users, including their sexual orientation and HIV status, along with any photographs they exchange with other users.

In a statement to TechCrunch, Grindr’s chief operating officer, Rick Marini, said that the company hopes to improve the safety and security of the dating platform.

Marini said: “We are partnering with a leading security firm to simplify and improve the ability for security researchers to report issues such as these.

“In addition, we will soon announce a new bug bounty programme to provide additional incentives for researchers to assist us in keeping our service secure going forward.”

Grindr’s history with privacy

Earlier this year, Grindr was sold by its Chinese owners to a group of US investors for around $608.5m. The sale was organised after a US government committee expressed national security concerns about the app’s ownership by Beijing Kunlun Tech.

Bouimadaghene’s discovery was not the first privacy issue that the company has dealt with. In 2018, it emerged that Grindr had shared its HIV status data with two separate companies, which were Apptimize and Localytics.

The two companies, which help optimise apps, received information that Grindr users elected to share on their profiles, which included their HIV status, the last date they were tested for HIV, and whether or not they are taking PrEP, a medication that lowers the risk of contracting HIV.

The issue was spotted by researchers at Norwegian non-profit SINTEF. The researchers discovered that Grindr had also been sharing other user information, including GPS location, sexuality, relationship status and phone ID with advertising firms, in some cases without encryption.

After the news broke, Grindr announced that it would cease sharing users’ HIV status, though the company’s former CSO Bryce Case claimed that Grindr was being “singled out” in light of the Cambridge Analytica scandal.

Before that, Grindr was under the spotlight after security researchers at Japan’s Kyoto University found that it was possible for a highly determined individual to pinpoint a user’s exact location.

Kelly Earley was a journalist with Silicon Republic

editorial@siliconrepublic.com