Grindr had a leak in password reset form allowing account hijacking

Grindr, a dating app for LGBTI people, had a vulnerability where a malicious person could easily take over accounts. All they needed was the target’s email address. Grindr says it was not used by attackers. Grindr’s password reset form sent the password reset token along with the response within the web form itself. This token is the key that authorizes a password reset and is therefore normally sent to, for example, the email address of the user in question. So if anyone can request a reset and get the token right away, there is no real identity verification, the token could be found by reading the page’s source code. Whoever pasted that token into Grindr’s default password reset url managed to reset the password. Subsequently, the attacker had access to the user’s account, including profile, messages and photos. Access to Grindr’s web interface was also an option, and the person who discovered the leak first reported it to Grindr itself, including technical details. Grindr said it would go ahead with it, but no further response and even a solution were not forthcoming. Subsequently, the help of security researcher Troy Hunt was enlisted, who tried to reach someone at Grindr via a public tweet. This drew a lot of attention from the public and ultimately led to a response and rapid resolution from Grindr, in which Grindr states that it is hiring a ‘leading’ security company to streamline its process of receiving these types of reports. It is unknown whether that plan was already in place, or whether it is happening as a result of this incident. Furthermore, a bug bounty program is coming soon, which could reward researchers for reporting these types of leaks.