Security News > 2020 > October > Imagine running a dating app and being told accounts could be easily hijacked. How did that feel, Grindr?
LGBTQ dating site Grindr has squashed a security bug in its website that could have been trivially exploited to hijack anyone's profile using just the victim's email address.
French bug-finder Wassime Bouimadaghene spotted that when you go to the app's website and attempt to reset an account's password using its email address, the site responds with a page that tells you to check your inbox for a link to reset your login details - and, crucially, that response contained a hidden token.
Thus you could enter someone's account email address into the password reset page, inspect the response, get the leaked token, construct the reset URL from the token, click on it, and you'd get to the page to enter a new password for the account.
After reporting the blunder to Grindr and getting no joy, Bouimadaghene went to Aussie internet hero Troy Hunt, who eventually got hold of people at the software maker, the bug got fixed, and the tokens were no longer leaking out.
"We believe we addressed the issue before it was exploited by any malicious parties," Grindr told TechCrunch.
News URL
https://go.theregister.com/feed/www.theregister.com/2020/10/03/in_brief_security/