A popular smartphone app used by the gay community to hook-up with similarly-minded people in their vicinity suffers from a serious security vulnerability that could expose personal information and explicit photos that they have been sent.
At least that’s the claim being made in The Sydney Morning Herald today.
If you’re not familiar with it, Grindr takes the hassle out of finding new acquaintances in your neighbourhood. So, if you’re looking for gay guys or gals in your vicinity a quick ping on Grindr will not only show you their photographs and details, but also how many feet away they are from you.
Before you know it, you’re flirting with a complete stranger and they’re sharing their precise location with your smartphone. At least, that’s what I’m led to believe.
If you think that would be a niche interest, then sit down as I tell you that Grindr claims to have over three million users. Yup, these days the internet is all about location, location, location.
According to journalist Ben Grubb, an unnamed hacker has revealed how to log in as another user on the Grindr app (or, indeed, its less famous straight equivalent – Blendr) without permission, impersonate them, send chat and photo messages, and view passwords.
As the photos and communications that can be exchanged can be of a – how shall I put this? – delicate nature, you can understand the potential problems.
Grindr’s founder Joel Simkhai has responded by saying that both Grindr and Blendr will be patched “over the next few days”, and that the company will roll out a major new security upgrade in the coming weeks.
@concupiscentguy we are releasing an update in the next few days— Grindr (@Grindr) January 20, 2012
Although Grindr’s Twitter feed has acknowledged the security vulnerability, I couldn’t find any information on their official website.
However, the Sydney Morning Herald strongly suggests that the problem may lie in Grindr’s underlying systems relying upon an id code to access its database, rather than a better form of authentication such as a username and password.
The hacker reportedly found that he could replace his id code, or hash, with that of another user – and then access their account.
It’s an elementary security mistake that we have seen many websites caught out by before, not that that will be any consolation to the romance-hunting users of Grindr and Blendr.
If you’re a user of either application, and you don’t feel comfortable with your personal account potentially being accessible by others while you’re waiting for the apps to be updated, I would recommend wiping your accounts.
Here are the appropriate links:
Take care folks.