Popular gay dating app Grindr was reported to have two major security flaws for its platform. According to an NBC News report published Wednesday, the security issues can expose private information of its 3 million users.
The security vulnerability can make available to others the exact location of people who opted out of sharing such sensitive information, per cybersecurity experts.
The security flaw was discovered by Atlas Lane CEO Trever Faden. The company is a startup and specializes in property management. He identified the issue after creating a website called C**kblocked.
“His website allowed users to see who blocked them on Grindr after they entered their Grindr username and password. Once they did so, Faden was able to gain access to a trove of user data that is not publicly available on user profiles, including unread messages, email addresses, deleted photos, and the location data of users…”
Also, Faden has experimented with another website and exploited a very similar security loophole. The above report confirms the security weakness is identical to the one that leaked information from 50 million users on Facebook. In addition, users run the risk of having their information intercepted when they use existing social media accounts to log in to other services.
Grindr has built into its service the functionality of allowing the locations of users to be public. However, they have the capability to opt-out, but given the security loop-hole, users are at risk.
Faden goes on to clarify that someone with very little technical skills can discover a user’s exact location. Two independent cybersecurity researchers within the news analysis corroborated Faden’s claims.
The second security problem with Grindr is related to the location data. Users are not required to log in to a third-party app or a website with their Grindr credentials. In other words, Grindr requires users to send location information to its servers in order for the app to work. However, the information is not encoded, and passive observer of a public Wi-Fi, for example, can easily obtain the location of anyone who accesses the app.
“In a statement issued to NBC News, Grindr said it was aware of the vulnerabilities that Faden had found and had changed its system to prevent access to data regarding blocked accounts. The company did not change access to any of the other data or how its app sends location data openly over the internet. After Grindr changed its policy on access to data on which users had blocked other users, Faden shut down his website.”
Grindr has issued an alert via Twitter to its users not to use Grindr login credentials to access other apps or websites.