Troy Hunt Flags Up ‘Sensational’ Sextortion Bug in Grindr
Grindr, the popular dating app, had a ridiculous bug in its password-recovery flow. “This is one of the most basic account takeover techniques I’ve seen,” blogged security researcher Troy Hunt.
To make matters worse, Grindr ignored the bug for a week when a less well-known researcher first reported it. And it presumably would have continued to do nothing, had Troy not joined the hunt.
Sadly, Grindr is well-known for ignoring security holes. In today’s SB Blogwatch, we hope it takes more pride in the future.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Pipelinefunk.
Stupid Vuln—Stupidly Easy ’Sploit
What’s the craic, Zack? Mister Whittaker reports—“A security flaw in Grindr let anyone easily hijack user accounts”:
Grindr … has fixed a security vulnerability that allowed anyone to hijack and take control of any user’s account using only their email address. Wassime Bouimadaghene … found the vulnerability.
…
Bouimadaghene found the vulnerability in how the app handles account password resets. … Grindr’s password reset page was leaking password reset tokens to the browser. That meant anyone could trigger the password reset [if they know] a user’s registered email address.
…
In a statement, Grindr’s chief operating officer Rick Marini [asked his PR flacks to ghostwrite], “We are grateful for the researcher who identified a vulnerability. The reported issue has been fixed. Thankfully, we believe we addressed the issue before it was exploited by any malicious parties.”
But getting to the fix wasn’t easy. Sergiu Gatlan picks up the story—“Grindr fixed a bug”:
Bouimadaghene … asked for Troy Hunt’s help to get reach out to Grindr after he unsuccessfully tried to report it through multiple channels. … Once Hunt asked for a Grindr security contact on Twitter, within about 90 minutes, the company quickly addressed the flaw.
…
After fixing the security issue, Grindr [said] they are working on making it easier for researchers to report such issues and that a new bug bounty program is in the works. [I] also reached out to Grindr for comment but had not heard back.
What a bunch of dags. G’day, Troy Hunt—“Hacking Grindr Accounts with Copy and Paste”:
Sexuality, relationships and online dating are all rather personal things. … Grindr data is very personal and inevitably, very sensitive for multiple reasons.
…
Wassime … was hitting a brick wall. … The Grindr support rep stated that he had “escalated it to our developers” and immediately flagged the ticket as “resolved.” … After 5 days of … not receiving a response, [Wassime] contacted me. He also shared a screenshot of his attempt to reach Grindr via Twitter DM which [also] fell on deaf ears.
…
The account takeover all began with the Grindr password reset page. … I’ve popped open the dev tools because the reset token in the response is key. In fact, it’s the key. … I was prompted to set a new password … and that’s it – the password was changed. … So I logged in to the account. … Full account takeover … access to everything the original Grindr account holder had access to.
…
The thought of that … being accessed by unknown third parties is extremely concerning. Consider also the extent of personal information Grindr collects. [Which] is what makes it so sensational that the data was so trivially accessible by anyone. … I cannot fathom why … a secret key is returned in the response body of an anonymously issued request. The ease of exploit is unbelievably low and the impact is obviously significant.
…
The only reason their Twitter account publicly replied to me was because my tweet garnered a lot of interest. … Their triaging of security reports [needs] work.
But it’s not the first time, as erichurkman explains, avec trop de déjà vu:
Back when I reported a Grindr security flaw (2016), I couldn’t find them on any of the bounty sites, [email protected] bounced, and support failed to route it correctly. Reaching out to their CTO, who I found on LinkedIn, [at] [email protected] got a reply in 8 minutes.
…
Sad to see they still haven’t upped their security game.
Wait. Pause. @n00py1 asks the question on everyone’s lips:
Do these apps ever get pentested before release? … It wouldn’t have been caught in a vuln scan, but taking the string from the password reset link and pasting it into the search bar of Burp history would have revealed this.
…
I pretty often search for tokens in my proxy history to see where they are used.
Perhaps the bigger issue is the lack of action. M Lyndon is disturbed:
They probably get a shedload of support tickets, but it sounds like Grindr dropped the ball here. Anyone on first level support should have realised that this was something that really needed to be “escalated,” and not “resolved” with no immediate action.
The way Wassime was fobbed off is disturbing to say the least. And what’s even more worrying is that this is the sort of thing bad actors may already have known about.
But DevX101 feels far more strongly:
If your company is being actively targeted by nation states (and rest assured, Grindr is), you should have a serious security team where this sort of stuff shouldn’t have seen the light of day. I’m not exaggerating when I say this bug may have gotten people locked up.
…
I’m also concerned about antagonist nation state that gets the personal emails of top officials at Department of Defense, goes through a targeted list in an attempt to find out who’s a member, and if a match found, then engage in a blackmail scheme.
I guess doing the right thing is probably not “Agile” enough. ptaff knows who they’d blame:
Clueless developers. I guess the full-stack-devops-l33t-k00l-kid who implemented this also does all input validation in the frontend.
Meanwhile, developer2 explains how this sort of thing happens:
This routinely happens at companies which rush every feature out the door with modern “agile” practices. The sprint is almost over! Quick, deliver all features by tomorrow to keep up our velocity and avoid a sprint review with negative feedback! Just merge it and push to prod without QA on a Friday at 4pm!
If only the above was a comedy routine, rather than what it truly is: the genuine reality at a large number of companies.
And Finally:
Hat tip: Phil Shapiro
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: Hanna Sörensson (cc:by-sa)
