Imagine running a dating app and being told accounts could be easily hijacked. How did that feel, Grindr

published 03.10.2020 11:08

Image of article 'Imagine running a dating app and being told accounts could be easily hijacked. How did that feel, Grindr'
Share

After reporting the blunder to Grindr and getting no joy, Bouimadaghene went to Aussie internet hero Troy Hunt, who eventually got hold of people at the software maker, the bug got fixed, and the tokens were no longer leaking out.

Thus you could enter someone's account email address into the password reset page, inspect the response, get the leaked token, construct the reset URL from the token, click on it, and you'd get to the page to enter a new password for the account.

In brief LGBTQ dating site Grindr has squashed a security bug in its website that could have been trivially exploited to hijack anyone's profile using just the victim's email address.