Hey there Guys,
Just in case you haven’t seen this yet, the popular gay pickup app Grindr has recently been hacked.
To quote the press release from the Sydney Morning Herald:
The hacker discovered a way to log in as another user, impersonate that user, chat and send photos on their behalf.
The vulnerabilities are also present in Blendr, the straight version of the app, according to a security expert who said both apps had “no real security” and were “poorly designed”.
The founder of the apps, Joel Simkhai, conceded both were vulnerable and he was rushing to release a patch to address the issues.
It is understood the hacker took advantage of the fact the apps used a personalised string of numbers known as a hash, instead of a user name and password, to log in. The hash is exchanged between users’ smartphones so they can communicate with each other but the hacker discovered it could be replaced with another users’ hash to enable the hacker to:
– Log in as any user
– See the user’s favourites
– Change their profile information and profile picture
– Talk to others as the user
– Access pictures sent to the user
– Impersonate a user’s “favourite” and talk to them as a friend
Founder and CEO of Grindr, Joel Simkhai has responded in his latest blog post:
There’s nothing more important to me than our users — we owe our success to our Grindr community who have helped spread the word about their great experiences. Your security and the security of our platform is a core priority. Like other responsible companies, we don’t comment on specifics of security enhancements or allegations about network issues – that wouldn’t serve the security of our users, our networks, or web security in general. As a result of Grindr’s ongoing investigation, we took legal and technological actions to block a site that violated our terms of service. This site impacted a small number of primarily Australian Grindr users and it remains shut down.
We continuously make improvements to our platform to increase security across our networks. We are releasing a mandatory update to our apps over the next few days to enhance security. When the update is available, users will be notified via in-app messaging, on Twitter and on this blog post. Our users can be assured that Grindr does not retain chat history, credit card information, or addresses – and no such information was ever compromised.
Despite this message above I noted that Grindr was up and running today from my home here in Melbourne.
If you are concerned about your profile’s security may I suggest you close your account until the security update has been released. Learn the steps to deleting your account here.
At this point I am not sure if other popular gay web apps Growlr or Scruff have been affected.