Grindr, a social networking smartphone application addressed to gay communities, and its straight counterpart Blendr were found to contain some serious vulnerabilities that would allow anyone to take over a user’s profile and modify its content.
The app uses a device’s GPS to locate other individuals and according to the developer’s website, more than one million people use it worldwide.
The Sidney Morning Herald reveals that an unnamed hacker proved how easily accounts can be overtaken and even created a website that exploited some of the flaws. The vulnerabilities were proven by the hacker by changing the profile pictures of some users to explicit ones.
The security weakness allows anyone who wants to do damage to log in as any user, see favourites, change profile information and pictures, talk to other customers and access the pictures sent to the victim.
All this is possible due to a hash that the phones exchange when users are communicating with each other. This hash can be utilized to access an account, without the attacker needing to know passwords or usernames.
Grindr’s CEO and founder Joel Simkhai explained that a patch was being developed to address the vulnerabilities.
“We [do] get people trying to hack into our servers. That's something that I am aware of and we certainly have a team in place that are working to prevent that,” Simkhai told SMH.
“We are certainly aware of a lot of these vulnerabilities and ... they will be fixed as fast as humanly possible.”
Referring to the vulnerability found in Grindr and Blendr, Graham Cluley, a senior technology consultant at Sophos says that they’re “elementary security mistakes” that many sites contain.
In the meantime, while the patches are being delivered, users can delete their profile if they fear their privacy is at risk.