Hacker exposes Grindr users' intimate information and explicit photos

Filed Under: Apple, BlackBerry, Data loss, Featured, iOS, Privacy, Social networks, Vulnerability

GrindrA popular smartphone app used by the gay community to hook-up with similarly-minded people in their vicinity suffers from a serious security vulnerability that could expose personal information and explicit photos that they have been sent.

At least that's the claim being made in The Sydney Morning Herald today.

If you're not familiar with it, Grindr takes the hassle out of finding new acquaintances in your neighbourhood. So, if you're looking for gay guys or gals in your vicinity a quick ping on Grindr will not only show you their photographs and details, but also how many feet away they are from you.

Before you know it, you're flirting with a complete stranger and they're sharing their precise location with your smartphone. At least, that's what I'm led to believe.

If you think that would be a niche interest, then sit down as I tell you that Grindr claims to have over three million users. Yup, these days the internet is all about location, location, location.

According to journalist Ben Grubb, an unnamed hacker has revealed how to log in as another user on the Grindr app (or, indeed, its less famous straight equivalent - Blendr) without permission, impersonate them, send chat and photo messages, and view passwords.

As the photos and communications that can be exchanged can be of a - how shall I put this? - delicate nature, you can understand the potential problems.

Grindr

Grindr's founder Joel Simkhai has responded by saying that both Grindr and Blendr will be patched "over the next few days", and that the company will roll out a major new security upgrade in the coming weeks.

Although Grindr's Twitter feed has acknowledged the security vulnerability, I couldn't find any information on their official website.

However, the Sydney Morning Herald strongly suggests that the problem may lie in Grindr's underlying systems relying upon an id code to access its database, rather than a better form of authentication such as a username and password.

The hacker reportedly found that he could replace his id code, or hash, with that of another user - and then access their account.

It's an elementary security mistake that we have seen many websites caught out by before, not that that will be any consolation to the romance-hunting users of Grindr and Blendr.

If you're a user of either application, and you don't feel comfortable with your personal account potentially being accessible by others while you're waiting for the apps to be updated, I would recommend wiping your accounts.

Here are the appropriate links:

Take care folks.

, , , , ,

You might like

7 Responses to Hacker exposes Grindr users' intimate information and explicit photos

  1. "At least, that's what I'm led to believe."

    I'm still laughing

  2. John T · 943 days ago

    "At least, that's what I'm led to believe."

    Thast true journalism. Dont do the actual fact verification. Just have yourself "led to believe" something you heard its true. Pathetic.

  3. Guest · 943 days ago

    Wiped, wonder if Scruff does any better in sec, hope so

    • Modern1st · 943 days ago

      Unlikely that Scruff is any better - most of these apps are poorly designed...

  4. meh · 940 days ago

    An app designed to help you have sex with the closest attractive stranger has security issues? Riiiight.

  5. gay-and-clued · 932 days ago

    As a .. let's say clued developer (I have no affiliation), I can say, Grindr is truly horrible with information security. Ive analysed the client-server (gae, s3) chatter, and, it's terrible.

    By the way, "deleting" your account won't delete your account. Pics appear retained forever, and that's the most damning.

    I'm prepping for a paper on vulnerabilities in a few high profile apps - Grindr and Scruff included - and the inherent risks personally, professionally and law enforcement-related (public data is public data, and you give up expectation of privacy when you allow an app to post your picture/info/geolocation data).

    Until a solid protocol can be hashed out (ietf is working on a couple), I'd say, buyer beware.

    Submitted as a Guest for obv. reasons.

    Anyone legit wishing to contact me, post an email addr here, and I'll find you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.