Sexuality, relationships and online dating are all rather personal things. They're aspects of our lives that many people choose to keep private or at the very least, share only with people of our choosing. Grindr is "The World's Largest Social Networking App for Gay, Bi, Trans, and Queer People" which for many people, makes it particularly sensitive. It's sensitive not just because by using the site it implies one's sexual orientation, but because of the sometimes severe ramifications of fitting within Grindr's target demographic. For example, in 2014 Egypt's police were found to be using Grindr to "trap gay people" which was particularly concerning in a country not exactly up to speed with LGBT equality. Another demonstration of how valuable Grindr data is came last year when the US gov deemed that Chinese ownership of the service constituted a national security risk. In short, Grindr data is very personal and inevitably, very sensitive for multiple reasons.
Earlier this week I received a Twitter DM from security researcher Wassime BOUIMADAGHENE:
I contact you because i reported a serious security issue to one of the biggest dating applications for gays (Grindr) but the vendor keep ignoring me ! I sent them all the technical details but no way. The vulnerability allow an attacker to hijack any account.
He wanted help in disclosing what he believed was a serious security vulnerability and clearly, he was hitting a brick wall. I asked for technical detail so I could validated the authenticity of his claim and the info duly arrived. On a surface of it, things looked bad: complete account takeover with a very trivial attack. But I wanted to verify the attack and do so without violating anyone's privacy so I asked Scott Helme for support:
Scott's dealt with plenty of security issues like this in the past, plus he helped me out with the Nissan Leaf disclosure a few years ago too and was happy to help. All I needed was for Scott to create an account and let me know the email address he used which in this case, was test@scotthelme.co.uk.
The account takeover all began with the Grindr password reset page:
I entered Scott's address, solved a Captcha and then received the following response:
I've popped open the dev tools because the reset token in the response is key. In fact, it's the key and I copied it onto the clipboard before pasting it into the following URL:
https://neo-account.grindr.com/v3/user/password/reset?resetToken=Isg6zl3q5fZsyAnAB8OCdnRgBSIYfpKkCO0O4pP1WLN0pwuClUqX24ImrLc6bb7T7DWSyFMG5lREHQmS4CsFR5uh8GEYQxF6Z6V5hsi3vSTuilXzgKRRItwdDIjmSWdq&email=test@scotthelme.co.uk
You'll see both the token and Scott's email address in that URL. It's easy for anyone to establish this pattern by creating their own Grindr account then performing a password reset and looking at the contents of the email they receive. When loading that URL, I was prompted to set a new password and pass the Captcha:
And that's it - the password was changed:
So I logged in to the account but was immediately presented with the following screen:
Huh, so you need the app? Alrighty then, let's just log in via the app:
And... I'm in!
Full account takeover. What that means is access to everything the original Grindr account holder had access to, for example, their profile pic (which I immediately changed to a more appropriate one):
Around this time, Scott started receiving private messages, both a request to meet personally and a request for pics:
The conversation with Luke went downhill pretty quickly and I can't reproduce it here, but the thought of that dialogue (and if he'd sent them, his pics) being accessed by unknown third parties is extremely concerning. Consider also the extent of personal information Grindr collects and as with Scott's messages, any completed fields here would immediately be on display to anyone who accessed his account simply by knowing his email address:
A couple of years ago it made headlines when Grindr was found to be sending HIV status off to third parties and given the sensitivity of this data, rightly so. This, along with many of the other fields above, is what makes it so sensational that the data was so trivially accessible by anyone who could exploit this simple flaw.
And as for the website I couldn't log into without being deferred back to the mobile app? Now that I'd logged into the app with Scott's new password, subsequent attempts simply allowed me to authorise the login request myself:
And that's it - I'm in on the website too:
This is one of the most basic account takeover techniques I've seen. I cannot fathom why the reset token - which should be a secret key - is returned in the response body of an anonymously issued request. The ease of exploit is unbelievably low and the impact is obviously significant, so clearly this is something to be taken seriously...
Except it wasn't. The person who forwarded this vulnerability also shared their chat history with Grindr support. After some to-and-fro, he provided full details sufficient to easily verify the account takeover approach on September 24. The Grindr support rep stated that he had "escalated it to our developers" and immediately flagged the ticket as "resolved". My contact followed up the next day and asked for a status update and got... crickets. The following day, he attempted to contact the help / support email addresses as well and after 5 days of waiting and not receiving a response, contacted me. He also shared a screenshot of his attempt to reach Grindr via Twitter DM which, like the other attempts to report the vulnerability, fell on deaf ears.
So I tried to find a security contact at Grindr myself:
Anyone got a security at @Grindr they can connect me to?
— Troy Hunt (@troyhunt) October 1, 2020
I'm conscious that sending a tweet like that elicits all the sorts of responses that inevitably followed it and implies that something cyber is amiss with Grindr. I only tweet publicly once reasonable attempts to make contact privately fail and based on the previous paragraph, those attempts were more than reasonable. A friend actually DM'd me on Twitter and suggested the following:
Not sure that Grindr tweet was necessary, given their DMs are open and they reached out to you fairly soon after
This is why I didn't DM them:
That route was tried and failed and I suggest the only reason their Twitter account publicly replied to me was because my tweet garnered a lot of interest.
After my tweet went out. I had multiple people immediately reach out and provide me with contact info for their security team. I forwarded on the original report and within about an hour and a half of the tweet, the vulnerable resource was offline. Shortly after, it came back up with a fix. In fairness to Grindr, despite their triaging of security reports needing work, their response after I managed to get in touch with the right people was exemplary. Here's how they responded when approached by infosec journo Zack Whittaker:
We are grateful for the researcher who identified a vulnerability. The reported issue has been fixed. Thankfully, we believe we addressed the issue before it was exploited by any malicious parties. As part of our commitment to improving the safety and security of our service, we are partnering with a leading security firm to simplify and improve the ability for security researchers to report issues such as these. In addition, we will soon announce a new bug bounty program to provide additional incentives for researchers to assist us in keeping our service secure going forward.
All in all, this was a bad bug with a good outcome: Grindr did well once I got in touch with them, I believe they're making some positive changes around handling security reports and, of course, the bug has been fixed. Oh - and Scott made some new friends 😊