Terrifying Grindr hack let accounts be taken over with nothing more than an email address

An iPhone showing the Grindr logo

A Grindr security flaw meant that accounts could easily be taken over by hackers with nothing more than an email address.

The Grindr hack was exposed by French security researcher Wassime Bouimadaghene and was subsequently documented by Troy Hunt and Scott Helme, both security experts.

In his research, Bouimadaghene discovered that a vulnerability in Grindr’s website allowed potential hackers to steal a user’s account by requesting a password reset.

The security flaw meant that, if a hacker obtained a user’s registered email address, they could request a password reset. This would send an automatic email to the user with a URL to reset their password – however, Bouimadaghene discovered that the same URL could be found in the code of the website.

The result, the researcher said, was that hackers could steal Grindr users’ accounts and access reams of personal and often highly sensitive information, such as photos, messages, their sexual orientation and HIV status.

Bouimadaghene reached out to Grindr personally to alert them to the security flaw, but he said he received no response from the company.

That prompted him to contact Troy Hunt, the creator of Have I Been Pwned, a website that allows people to find out if their email address or password has been compromised.

Troy Hunt investigated the breach by asking security researcher Scott Helme to register for a Grindr account.

As Bouimadaghene’s research suggested, Hunt was able to takeover Helme’s account and was subsequently able to login via the app.

Impact of Grindr hack is ‘obviously significant’.

Writing on his website, Hunt said: “This is one of the most basic account takeover techniques I’ve seen… The ease of exploit is unbelievably low and the impact is obviously significant, so clearly this is something to be taken seriously.”

Hunt also confirmed that Bouimadaghene shared the findings of his research with Grindr on September 24. A support representative for the company reportedly told him that the issue had been “escalated” to developers and went on to flag the issue as “resolved”.

Like Bouimadaghene, Hunt encountered various difficulties in reporting the issue to Grindr – but after much work, his report finally got through to the security team and the flaw was quickly fixed.

Grindr’s chief operating officer Rick Marini told Tech Crunch: “We are grateful for the researcher who identified a vulnerability. The reported issue has been fixed. Thankfully, we believe we addressed the issue before it was exploited by any malicious parties.

“As part of our commitment to improving the safety and security of our service, we are partnering with a leading security firm to simplify and improve the ability for security researchers to report issues such as these.”

In 2018, the dating app faced public backlash when it was revealed that it had been sharing the HIV status of its users with outside firms.

Grindr was found to be sharing the information with two private companies that “optimise” apps.

PinkNews has contacted Grindr for comment.