At the Dating platform Grindr, until recently, there was a serious safety chake of security: Over the function to return the password, an attacker could complete a user account completely. On the website on which you request the backup of the password, you could read the decisive information for the reset link and thus gain access to a user account – only an e-mail address of a grindR user had to be known to be reported Techcrunch.
Security tokens betrayed in the browser
Grindr uses the widespread path via a reset link for returning a password, which is sent to the request of a user at its e-mail address. The French Bouimadaghen’s French Security specialist found out that the website for requesting such reset links is free to ask the Security token, which is intended to be part of the link, which in turn can only be made known to the requesting user. Since a RESET link of Grindr is always identical, the token can be easily copied to a self-generated link. If an attacker is aware of an e-mail address that is deposited with a GrindR user account, love to create a reset link on this way and a new password assigned – the attacker could already take over the entire user account.
As TechCrunch reported, Bouimadaghen turned to Grindr with his discovery, but initially received no answer. He then moved to his Security colleagues Troy Hunt, who enforced the problem. Shortly thereafter Grindr closed the safety chuck. Hunt describes the approach in detail in a blog post. He describes the attack method as one of the simplest accounting techniques overhead.
A GrindR manager thanked Bouimadaghen for his hint. The cheeks should be closed and one suppose that no attacker had exploited the luck. The company now wanted to cooperate with a security company and work that such vulnerabilities can be informed better. In addition, one would like to expose a reward for finding another weaknesses (bug-bounty program).
Grindr is a worldwide dating platform for the LGBTQ community, which is to have 27 million users, of which about 3 million use the app every day. In 2016, the company approached in California, a Chinese investor had been taken by a majority, but whereas the state US supervisory hereditary appeal; The investor had to handle his participation. Father came out the reason for the intervention of the authorities: Chinese developers should have had access to confidential user data for a while.