On Wednesday, March 28, NBC reported Grindr safety flaws reveal users’ location data, a story which ticks several hot-button subject areas for protection professionals and protection journalists as well. Ita€™s focused round the salacious subject of online dating into the LGBT area, and strikes an individual protection concern for people using the software almost everywhere, and the possibility of outing LGBT people in areas in which being homosexual, bisexual, or trans are unlawful or dangerous.
Unfortunately, this story is actually guilty of many worst style of FUD a€” worry, doubt, and doubt a€” that nevertheless happens when some reporters protect our sector. Im right here to tell you, dear Grindr user, there is nothing happening at Grindr that will be unreasonably revealing your local area information. In this instance, the angel is within the information.
Whata€™s Perhaps Not A Vuln
In the end, once you take a look at the NBC facts, you can find where this reporting changes from reports to FUD:
His internet site let customers observe who clogged all of them on Grindr after they inserted their unique Grindr username and password. As Soon As They performed soa€¦
Ia€™m planning to only end your right there, since this try a pretty larger red flag about it outlined vulnerability. a€?After they registered her Grindr account,a€? ways, a€?After the user voluntarily compromised by themselves.a€? Any susceptability that reveals consumer facts that is dependent completely on currently getting the best bit of consumer information readily available a€” the password a€” is actuallyna€™t a vulnerability.
However, I experienced to get missing out on one thing. Maybe there is some advantage escalation technique in gamble that permit the assailant, equipped with any username and password, read additional peoplea€™s information, or all the information, or something like that like this. Furthermore, the place facts little seemed down, too a€” I happened to be convinced Grindr used regular SSL and regular API requires location solutions, therefore I gotna€™t positive what the place publicity involved. Performed that also depend on already having the usera€™s password?
Phishing for LOLs
To make the journey to the base of this, i acquired in the telephone with Trever Faden the very next day to inquire of for his write up, since I didna€™t observe that linked in every with the stories. Turns out, he didna€™t perform any formal studies. Trever is actually an enjoyable man and an intelligent internet treatments designer, but the guy explained bluntly that hea€™s a€?not a security expert.a€? With this caveat, then he enthusiastically expressed the thing that was really going on with Grindr and his own provider, C*ck Blocked (hereafter called a€?CBa€?).
CB worked along these lines: your, a Grindr individual, offer a password. CB converts around and authenticates to Grindr, as you, and renders a normal-looking API obtain status, and that response contains an array of people who possess blocked you. This range tryna€™t normally showed for the Grindr UI, in order thata€™s this service membership CB produces.
Today, you are able to an argument this was a facts disclosure, kinda-sorta just like the Yopify problem we revealed practically this past year. Occasionally APIs provide information thata€™s sensitive and painful, and count on client-side defenses keeping that facts exclusive. But the details on which blocked you isna€™t really what painful and sensitive; they tends to be fairly obvious towards the individual if the suspected blocker instantly disappears, and easy to make sure that simply by promoting a brand new levels. Thus, this can bena€™t really a security susceptability, but a lot more of a software misfeature.
Regardless of how your cut it, however, it will all be determined by currently finding out the persona€™s username and password, and even though Trever positively appears like a remain true guy, therea€™s no chance to make sure he wasna€™t covertly logging all 16,000 or more peoplea€™s account recommendations. Should you supplied CB the password, you really need to change it quickly.