All you would need to seize control of a user’s account would be their email address.
French security researcher Wassime Bouimadaghene discovered the security hole which was in how Grindr handles password resets.
Sign up to our newsletterSecurity news, advice, and tips.
In short, if you forget your Grindr password you can request a reset. Grindr then emails the owner of the account with a clickable link which will take them to a password reset page. To prevent mischief-making, the clickable link contains a secret reset token.
The token is supposed to verify you as the legitimate requester of the password reset. Only the legitimate user should know what the token is, as it is sent to their known email address.
But, as TechCrunch reports, Bouimadaghene found Grindr wasn’t keeping tokens secret:
But Bouimadaghene found that Grindr’s password reset page was leaking password reset tokens to the browser. That meant anyone could trigger the password reset who had knowledge of a user’s registered email address, and collect the password reset token from the browser if they knew where to look.
The clickable link that Grindr generates for a password reset is formatted the same way, meaning a malicious user could easily craft their own clickable password reset link — the same link that was sent to the user’s inbox — using the leaked password reset token from the browser.
With that ..
Support the originator by clicking the read the rest link below.
