Sophos Cloud Optix
A popular smartphone app used by the gay community to hook-up with similarly-minded people in their vicinity suffers from a serious security vulnerability that could expose personal information and explicit photos that they have been sent.
At least that’s the claim being made in The Sydney Morning Herald today.
If you’re not familiar with it, Grindr takes the hassle out of finding new acquaintances in your neighbourhood. So, if you’re looking for gay guys or gals in your vicinity a quick ping on Grindr will not only show you their photographs and details, but also how many feet away they are from you.
Before you know it, you’re flirting with a complete stranger and they’re sharing their precise location with your smartphone. At least, that’s what I’m led to believe.
If you think that would be a niche interest, then sit down as I tell you that Grindr claims to have over three million users. Yup, these days the internet is all about location, location, location.
According to journalist Ben Grubb, an unnamed hacker has revealed how to log in as another user on the Grindr app (or, indeed, its less famous straight equivalent – Blendr) without permission, impersonate them, send chat and photo messages, and view passwords.
As the photos and communications that can be exchanged can be of a – how shall I put this? – delicate nature, you can understand the potential problems.
Grindr’s founder Joel Simkhai has responded by saying that both Grindr and Blendr will be patched “over the next few days”, and that the company will roll out a major new security upgrade in the coming weeks.
@concupiscentguy we are releasing an update in the next few days
— Grindr (@Grindr) January 20, 2012
Although Grindr’s Twitter feed has acknowledged the security vulnerability, I couldn’t find any information on their official website.
However, the Sydney Morning Herald strongly suggests that the problem may lie in Grindr’s underlying systems relying upon an id code to access its database, rather than a better form of authentication such as a username and password.
The hacker reportedly found that he could replace his id code, or hash, with that of another user – and then access their account.
It’s an elementary security mistake that we have seen many websites caught out by before, not that that will be any consolation to the romance-hunting users of Grindr and Blendr.
If you’re a user of either application, and you don’t feel comfortable with your personal account potentially being accessible by others while you’re waiting for the apps to be updated, I would recommend wiping your accounts.
Here are the appropriate links:
Take care folks.
"At least, that's what I'm led to believe."
I'm still laughing
“At least, that’s what I’m led to believe.”
Thast true journalism. Dont do the actual fact verification. Just have yourself “led to believe” something you heard its true. Pathetic.
You think I should have tested it for myself?
Not sure what Mrs Cluley would have thought of that..
Wiped, wonder if Scruff does any better in sec, hope so
Unlikely that Scruff is any better – most of these apps are poorly designed…
An app designed to help you have sex with the closest attractive stranger has security issues? Riiiight.
As a .. let's say clued developer (I have no affiliation), I can say, Grindr is truly horrible with information security. Ive analysed the client-server (gae, s3) chatter, and, it's terrible.
By the way, "deleting" your account won't delete your account. Pics appear retained forever, and that's the most damning.
I'm prepping for a paper on vulnerabilities in a few high profile apps – Grindr and Scruff included – and the inherent risks personally, professionally and law enforcement-related (public data is public data, and you give up expectation of privacy when you allow an app to post your picture/info/geolocation data).
Until a solid protocol can be hashed out (ietf is working on a couple), I'd say, buyer beware.
Submitted as a Guest for obv. reasons.
Anyone legit wishing to contact me, post an email addr here, and I'll find you.