The hacker found a frighteningly easy way to log in as a user other than yourself, impersonate them, and steal any and all revealing pictures that had been exchanged in “romancing” sessions.
Now Grindr CEO Joel Simkhai and his underlings are scrambling to put out a patch that blocks the security loophole. “We are certainly aware of a lot of these vulnerabilities and they will be fixed as fast as humanly possible,” he said.
But did they really know these obvious chinks in the force-field existed? Wouldn’t they have already fixed such errors in the almost 3 years the app’s been out?
An expert in the matter said that the hacking merely overcame embarrassingly low-grade security. The expert said Grindr and its pointless straight cousin Blendr “had no real security,” calling them “very poorly designed … [with] poor session security and authentication.”
Apparently the hacking website had been up and running for months before it got shut down last Friday, and any ol’ Internet Joe Schmo could access it.
The website, registered on July 14 last year, allowed the hacker to search for any Grindr user regardless of their location, and capitalised on the vulnerabilities to offer other services not designed by the apps.
Material seen by this website suggests that a number of Australian users had their Twitter profiles linked to Grindr profiles on the web page, making it easier to find users.
At one point, according to sources who saw the website before it was taken down, it listed users’ Grindr pseudonyms, passwords, their personal favourites (bookmarked friends) and allowed them to be impersonated, and thus have messages sent and received without their knowledge. At one point, the website also allowed users’ profile pictures to be replaced.