Security flaw in Grindr exposed locations to third-party service

Users of Grindr, the popular dating app for gay men, may have been broadcasting their location despite having disabled that particular feature. Two security flaws allowed for discovery of location data against a user’s will, though they take a bit of doing.

The first of the flaws, which were discovered by Trever Faden and reported first by NBC News, allowed users to see a variety of data not available normally: who had blocked them, deleted photos, locations of people who had chosen not to share that data and more.

The catch is that if you wanted to find out about this, you had to hand over your username and password to Faden’s purpose-built website, C*ckblocked (asterisk original), which would then scour your Grindr account for this hidden metadata.

Of course it’s a bad idea to surrender your credentials to any third party whatsoever, but regardless of that, this particular third party was able to find data that a user should not have access to in the first place.

The second flaw involved location data being sent unencrypted, meaning a traffic snooper might be able to detect it. (In its comment, Grindr says it encrypts and obfuscates location data, but has not specifically denied the existence of this issue.)

It may not sound too serious to have someone watching a Wi-Fi network know a person’s location — they’re there on the network, obviously, which narrows it down considerably. But users of a gay dating app are members of a minority often targeted by bigots and governments, and having their phone essentially send out a public signal saying “I’m here and I’m gay” without their knowledge is a serious problem.

I’ve asked Grindr for comment and confirmation; the company told NBC News that it had changed how data was handled in order to prevent the C*ckblocked exploit (the site has since been shut down), but did not address the second issue.

Update: Grindr has offered a statement on these issues, which I quote in part below (emphasis theirs):

Anytime a user discloses their login credentials to an unknown third-party, they run the risk of exposing their own profile information, location information, and related metadata. We cannot emphasize this enough: we strongly recommend against our users sharing their personal login information with these websites as they risk exposing information that they have opted out of sharing.

Grindr is a location-based app. Location is a critical element of our social network platform. This allows our users to feel connected to our community in a world that would seek to isolate us. That said, all information transmitted between a user’s device and our servers is encrypted and communicated in a way that does not reveal your specific location to unknown third parties.

Furthermore, the statement points out, “In territories where homosexuality is criminalized, or it is otherwise unsafe to be LGBTQ identified, we deliberately obfuscate the location-based features of our application to protect our users.”

I’ve asked for any further information on the possibility that location data was, as reported, sent unencrypted. I’ll update if I hear back.

Powered by WPeMatico