Central PA's LGBT News Source
Grindr, a gay-dating app, suffers from a security issue that can expose the information of its more than 3 million daily users, reports Brian Latimer. The security issue also includes the location data of people who have opted out of sharing such information, according to cybersecurity experts.
The security flaw was identified by Trever Faden, CEO of the property management startup Atlas Lane, after he created a website called C*ckblocked (the asterisk is part of the name of the service). His website allowed users to see who blocked them on Grindr after they entered their Grindr username and password. Once they did so, Faden was able to gain access to a trove of user data that is not publicly available on user profiles, including unread messages, email addresses, deleted photos, and the location data of users, some of whom have opted to not share their locations publicly.
Faden’s website exploited a similar security loophole to the one that leaked the information of 50 million Facebook users through a quiz connected to the social network, highlighting the risk that people face in using existing social media accounts to log in to other services.
Grindr makes public the location of many of its users, but allows for users to opt out of this feature. Faden found that he could find the location of users who had opted out if they connected their Grindr profiles through his third-party website.
“One could, without too much difficulty or even a huge amount of technological skill, easily pinpoint a user's exact location," Faden explained. Two independent cybersecurity researchers, neither affiliated with Faden nor Grindr, backed up Faden's claim.
In a statement issued to NBC News, Grindr said it was aware of the vulnerability that Faden had found and had changed its system to prevent access to data regarding blocked accounts. The company did not change access to any of the other data. After Grindr changed its policy on access to data on which users had blocked other users, Faden shut down his website.
The company also warned people not to use their Grindr logins for other apps or websites.