The dating app Grindr fixes vulnerability allowing anyone access user accounts using just their email - Grindr, one of the world's largest dating and social networking apps within the LGTBI + community, has fixed a security vulnerability that allowed anyone to hijack and take control of any user's account using just their email address.

Grindr has about 27 million users, with about 3 million using the app every day.

Wassime Bouimadaghene, a French security researcher, found the vulnerability and reported the problem to Grindr. As he did not get a response, Bouimadaghene shared his findings with security expert Troy Hunt for help, according to TechCrunch.

Bouimadaghene found the vulnerability in the way the app handles account password resets.

To reset a key, Grindr sends the user an email with a link containing an account password reset tab. After clicking the link, the user can change the link.

However, Bouimadaghene discovered that Grindr's password reset page was filtering its tabs to the browser. That meant that anyone who knew a user's registered email address could turn on the password reset and pick up the tab if they knew where to look.

The link that Grindr generates for this process has the same format, meaning that a hacker could easily create his own password reset link using the filtered token for the browser password reset.

Grindr fixes vulnerability allowing anyone access user accounts

Thanks to this, a hacker can thus change the account owner's key and access his account and the personal data stored in it, including photos of the account, messages, sexual orientation, HIV status and the date of the last Test.

"We are grateful for the researcher who identified a vulnerability. The reported problem has been fixed. Fortunately, we believe we have addressed the problem in time, " Grindr Chief Operating Officer Rick Marini told TechCrunch.

"As part of our commitment to improving the security of our service, we partnered with a leading security company to simplify and improve the ability of security investigators to report issues like these. In addition, we will soon announce a new error reward program to provide additional incentives for researchers to help us keep our service safe in the future, " the company said.

Thanks for reading Grindr fixes vulnerability allowing anyone access user accounts


More news for you:

Cybersecurity may be the engine the Spanish tech sector needs: why the industry has so much potential, experts say

The cybersecurity industry is stepping on the accelerator in Spain.

Last week, IriusRisk staged a new round of financing in which they raised nearly 6 million euros. In less than two weeks, Telefónica Cybersecurity Tech announced the purchase of firms such as Valenciana Govertis, specialized in compliance and protocols; or iHackLabs, a startup that simulates cyber attacks to help its customers.

Cybersecurity is one of the wheels of the Spanish technology sector, which is experiencing sweet moments after the sale of Idealista to EQT for more than 1.300 million euros. Several experts have already predicted following this corporate Operation 2 or 3 years "very important" for the industry.

To understand the importance and potential of cybersecurity within the Spanish business ecosystem, Business Insider Spain has contacted several investment funds, several CEO of leading startups and experts such as Bernardo Quintero, one of Google's most visible faces in the field of cybersecurity.

Panda Antivirus - today Panda Security -, Hispasec, S21... the names of several Spanish cybersecurity companies date back to the mid-to late 90s. More than 20 years later, these companies are living milestones without which the sector would not understand.

Experts such as Juan Lopez, investment director of Kibo Ventures, or Bernardo Quintero himself-founder of VirusTotal, a company that was acquired by Google in 2012— talk about the "quarry" in this industry.

"The fact that there was a group of people who then devoted themselves to getting ideas generated a quarry, a kind of first breeding ground for companies," Lopez himself explains.

Quintero abounds in this idea: "they are two factors. On the one hand, these first Enterprises became the training centres themselves. When we brought the first employees into Hispasec, many had no idea about cybersecurity. Only some had certain knowledge."

"Another very important point," he continues, was that the first entrepreneurs were accessible people. "We were like them. I set up my company to lung, with no investment. People could feel reflected in US. This has a contagious effect not only on the cybersecurity branch, but also on entrepreneurship."

Alberto Gomez, of Adara Ventures, was at the well-known exit of AlienVault, a startup that was acquired by AT&T in 2018 in one of the largest corporate operations in the sector. It agrees that in both the Spanish and European markets there are "more qualified people in this area willing to undertake, in addition to investors willing to finance".

"The sector is in very good condition."

Stephen De Vries is the CEO of IriusRisk, the startup that starred in its recent $ 6.7 million financing round. In a recent interview with Business Insider Spain pointed out, what in his opinion, is a difference between the US cybersecurity market and the Spanish. There the software or product is prioritized. Here, the services.

Investors consulted by Business Insider Spain generally note this as a fact. Lopez, of Kibo Ventures, acknowledges that " depending on what kind of disruption or innovation you are giving, sometimes a layer of services is almost mandatory." "Generating a product is very difficult and usually happens in second phases."

This does not mean that in Spain there is a certain change of trend. According to Quintero, while Americans have always had "a more product mentality", in Spain one of the first cybersecurity companies was Panda Antivirus, "a product that was scalable".

The same is true of the company he founded himself, VirusTotal. "It was the first 100% internet service, which was not software," and therefore, it was also scalable.

But the chip is also being changed. Quintero believes that "the great cybersecurity boom" is on issues such as artificial intelligence or machine learning. "You have to think about scalable services and have a much more global connection."

"In Spain we sin a little bit of local business." Years ago, SMEs had antivirus and little else. "Little by little, seeing the startups coming out, the 'chip'is changing." IriusRisk's financing round was announced precisely to deepen its internationalization.

There's talent, there's entrepreneurship, and there's investment.

What you need is to believe him.

That is also the opinion of Quintero himself. "If Spain has a good thing, it's talent, not just cybersecurity. Spanish engineers are highly valued outside; we have very good training and at a cultural level we are people who seek our life".

Quintero laughs. "It's not to crack, but other cultures can be a little more methodical, and that Spanish picaresque helps in engineering. If there is a problem, they call the Spanish engineer on duty who makes you a 'Napa' in a moment. And that is highly valued."

One of the people who has studied more about the objectionable facts and the potential of the Spanish cybersecurity industry is Dario Villena, manager at Swanlaab. Villena recalls the regulatory change that is being worked on, whereby critical infrastructures will have to face annual cybersecurity audits.

In other words, there will be more business.

In addition, it also details that from Spain "there is very good connection", this being one of the European countries with the largest fiber optic network.

Juan Lopez, of Kibo, also highlights how "interesting" the cybersecurity sector has become. From the fund they recognize that they have launched to invest and recognize that much of the return they will get from their portfolio will come from the world of cybersecurity.

"It is logical: the technological sectors that attack startups are increasingly broad, and more, perhaps, industrial. What used to be practically a thing of the internet, of information portals, has become a sector in which all sectors are, but digitizing."

And in all these sectors there will have to be a layer to secure. "For every IoT expert, for every space expert, for every mining expert... there will have to be a cybersecurity expert who understands the casuistry and the problems associated with this industrial sector, " says Lopez.

When it became known in mid-September that Idealista had been acquired by the EQT fund for more than 1.300 million euros, the CEO of Verse and former founding partner of the real estate web, Bernardo Hernandez, was clear in statements to Business Insider Spain. "I'd like it to go public."

"You can still do it," he said at the time. "The ecosystem is maturing and is made up of many agents. We will see larger and larger venture capital funds, companies with increasingly profitable business models, and it should not surprise us that this record of 1,300 million in 5 or 10 years is surpassed by an operation of 15,000 or 20,000 million."

It is difficult to predict whether the cybersecurity wheel will hold this record in the coming years. According to Bernardo Quintero, from VirusTotal and Google, Spain has "the mimbres". "We are taking steps in that area and I am sure we will see it, I do not know if in the short or medium term."

"What we need is to believe it ourselves, we have certain complexes and when you start going out you realize that people out there value the product," he admits.

Alberto Gomez, of Adara Ventures, is more skeptical.

Gomez's testimony is key because Adara was backing AlienVault when it was acquired in 2018 by AT&T in one of the most important corporate operations in the sector, although it was not known how much it amounted.

In an interview at the time with Hypertextual, Gomez said that before the operation it had been assessed that the Spanish cybersecurity firm went public in the United States during 2019. "Metrics and financial results pointed to that."

However, AlienVault opted for the sale. "Compared to an IPO you have to wait a year and a half for the exit, then you have to wait to sell because you have to endure and that in the market can happen a thousand things ... were important to say for the offer in cash".

"There is always a doubt as to what would have happened after going public."

Asked by Business Insider Spain about the possibility that after the example of idealist see a more technological IBEX commanded by cybersecurity firms, Gomez rejects it in the short, medium and even long term.

"The only way to achieve this is for us to do something comparable to Shanghai or New York. "We can not think of a technological IBEX, in Spain we do not have the critical scale. And neither does Germany."

"No European alternative market operates with the necessary liquidity. Neither did London. Spanish is totally inefficient. There is very little information, very little volume. It is not really a market where a company, beyond raising an initial capital, can come investors and count on that they can buy and sell shares with a certain transparency, liquidity and depth".

You may also find interesting: