> we believe we addressed the issue before it was exploited by any malicious parties<p>I wonder how they are sure of this.<p>In their logs, there would be no difference between a legitimate password reset and a malicious one, given that even a legitimate flow would result in an initial request from some IP address, then when the user receives the email with the reset link they will most likely click on that from the same computer, thus the same IP address showing up on the logs. In case of a malicious attempt the same pattern would be seen - there is no way for them to know whether the user obtained the reset token from the e-mail (as they should) or directly from the password reset endpoint itself.
If your company is being actively targeted by nation states (and rest assured, Grindr is), you should have a serious security team where this sort of stuff shouldn't have seen the light of day.<p>I'm not exaggerating when I say this bug may have gotten people locked up, or been the lever for corporate/government espionage.
Considering Egypt is using apps like this to persecute LGBT people, this is absolutely horrifying.<p>I'm so glad I've gone social media free, all the big players in this space have shown repeatedly they don't care about the safety of their users. Grindr was already caught sharing HIV status information with 3rd parties. Eventually these horrible companies will be regulated, but tons of people are going to be harmed before that happens.
Back when I reported a Grindr security flaw (2016), I couldn't find them on any of the bounty sites, security@grindr.com bounced, and support failed to route it correctly.<p>Reaching out to their CTO, who I found on LinkedIn, and firstname.lastname@grindr.com got a reply in 8 minutes.<p>Sad to see they still haven't upped their security game.
That’s appalling<p>Bug bounties are are well and good, but a basic pen test would have picked that up. They aren’t that expensive and for a business trading in data that can get you killed in some parts of the world, should be mandatory.
My understanding -<p>Grindr doesn't store your chat history, so logging in on a new device won't show your old chat messages. Phew.<p>Grindr is particularly bad at security. It was fairly easy to triangulate users locations until fairly recently and some users were being harassed, and grindr ignored their reports for a long time.<p>It was also fairly easy to use fake locations until fairly recently which was also causing problems for non-users.<p>Grindr regularly shuts down accounts with no process. It's very easy to lose your contacts.<p>Grindr lies about what information they retain. They claim to hold very little information, which they provide when your account is shut down. However they must retain a list of your blocks and favorites in order to function. They lie and say they don't retain this info.<p>Because of the nature of their service, they should be on top of all this stuff, but they are really bad at it.
This issue is incredibly strange and severe.<p>One thing I did notice, though: The timestamps on the Twitter DMs, which were used as evidence to assert that they're unresponsive in DMs, cover a time period of 90 minutes. The language the twitter client is set to is also not english (maybe French? the original discovery was made by someone who lives in France. I don't know), which introduces the possibility that it wasn't even daytime in the US when those were sent.<p>I'm all for publicly announcing these things (in a responsible way) and forcing a quicker response from the company, and its also likely that Troy tried to reach out on his own, but I just think that screenshot is a bad example of a company not responding to DMs. If it had been 48 hours to a week, then I'd be in the concerned camp.
> Hey, do you have a Grindr account?<p>> Lol<p>I can understand this is most probably a private lol by a surprised. But how about we at least stop making these are you gay? Lol! a public moment worth screenshooting?<p>An Ashley Madison data leak is a national embarrassment whereas a Grindr one, a "national security threat" [1]. Being on AM is just a vaudevillian indiscretion, being on Grindr is bro lol that feeds hate and wrecks lives.<p>[1] <a href="https://www.theverge.com/interface/2019/3/28/18285274/grindr-national-security-cfius-china-kunlun-military" rel="nofollow">https://www.theverge.com/interface/2019/3/28/18285274/grindr...</a>
I’m not an engineer, but I can say that for a very long time Grindr felt like it was basic, poorly built, and generally unreliable. A couple of years ago it felt like there was a serious wave of investment in the app - the UI got better, it stopped dropping messages and having random outages - but clearly the DNA of the company hasn’t really changed.
OK, I know it’s easy to say “well of course it’s not safe, don’t send nudes and don’t go on sketchy hookups”. But, to paraphrase Drag Race: men are rotted gila monsters. <i>(I’m a gay male, I can say that. Also I speak from experience. I've seen things you people wouldn't believe.)</i><p>So, as a thought exercise, how do you make an app like this more secure? Harm reduction is the name of the game. What are the best practices for this? Is it 2FA? Is it encryption keys linked to one device? Is it copying principles from Signal? Is it just having competent developers?
I have very little trust in the capabilities and interest of the Grindr team to do anything but making money with overpriced subscriptions. It's riddled with bugs, years old, yet they keep adding new, unnecessary features like video chat to justify their insanely priced "unlimited" subscription.<p>This year there have been a few months where your own profile data would not load, making you think you'd lost your profile data and having to create it all again. Yet all you needed to do was to restart the app ~10 times to get it to load.<p>Sometimes messages just... get lost in the ether.<p>The "online now" notification is flaky.<p>Grindr Online (web browser) is a whole new mess. I haven't used it in a long while, but the first months it felt as "professional" as an interns side project. Also you need to keep Grindr open on the phone while using it, kind of beating the purpose.<p>The setting to use the metric system still resets to imperial regularly.<p>The app is full of fakers, yet they still have no identity validation feature.
I guess the good news is that it requires knowledge of the user's email address to execute. You can't just run it on random people (emails aren't disclosed) and even if you know someone on the app in real life, chances are good that they use a personal address that you won't have.<p>Still a pretty bad vulnerability and pretty awful that grindr was ignoring it.
A startup I worked for had this exact same security issue. I brought it up to the tech lead/CEO but they were in denial about it. Handrolled password reset by dummies basically
I've been on Grindr for years, and I know first hand that their support is as bad as it can get. _Seriously_. I know because they also have a big automated ban problem. In trying to fight their bot issue, they've started auto-banning accounts that trigger their filter in some way or another. I've been banned 4 times without cause. Each time you have to contact support, who seemingly are either unable or not allowed to answer with anything other than canned responses. Three times the support person realized the ban was erroneous and lifted it without further ado. One time the person affirmed it, all while refusing to break from the canned responses or provide any justification. Most frustrating experience I've ever had with a digital service.
As far as I can tell Grindr has had crappy security and a willful negligent response to security concerns for its entire existence. Don't forget that location tracking in real time of people with Grindr.
Don't use Grindr.
This will continue to happen as long as companies aren't given any reason to care. The incentives simply don't work out, and I highly doubt the market will ever change that at this point.
I've fixed this exact vulnerability (sans QR code) for a client of mine in the last 2 years. I place the cause for these kinds of issues on the split between "frontend" and "backend" developers, with many frontend developers coming out of code camps able to build client-side rendered single page applications and being very proficient in JavaScript but not having experience with aspects of security-related software design. Back in the olden days, coming through learning PHP which was all server-side, you got a lot more exposure to that. Less so with these React-heavy code camps.
That 'bug' is <i>so</i> stupid and elementary that I'm disinclined to think it's a bug. If they had <i>any</i> security people, it'd never have existed. So ... they just don't <i>give a shit</i>. Surprise?
I’ve worked on these types of features and this is egregiously bad. Where I work, we won’t even tell you the full email address that we’re sending the password reset to.
All you need to do is buy a seat on a RTB exchange and you can already collect pretty much all the information you need without having to hack anything.<p>Our digital infrastructure is <i>ludicrously</i> insecure and open to abuse. The stable door is wide open, and has been for over a decade.
I'm not even sure I'd call this a security flaw or bug... It seems like the design was wrong or it just wasn't done right for some reason. A post-mortem on how this ended up in production would be interesting.
Getting in touch with "the right people" seems to be hard at a lot of companies for rare issues like this.<p>Imagine another rare issue - say I want to speak to the board of directors to give them a buyout offer... Would I manage that though in-app chat?
Didn't ytcracker work for Grinder?<p>It's a hard thing to Google, but I follow him on Twitter and I thought that was the case. If so, this is a hilarious event for some other rapper to dunk on.
fuck <i>"responsible disclosure"</i><p>the outcome of this runaround was that grindr stated they will create a bug bounty program<p>proving once again that the "market based bug bounty program" has better aligned incentives and results in solving the same thing, vulnerabilities that should have been fixed to begin with were fixed.
Grinder was owned by a Chinese video game company from 2016 to 2020. Under pressure from from the US government it was sold to a southern california company.
Troy is obviously a good guy but I think he may be stepping into murky waters here with the switch from logging pwns to actively investigating.<p>Think he'll do a legit job either way but it seems like a gamble to me. Investigative stuff is well...more murky