Grindr flaw allowed hijacking accounts with just an email address

A Grindr vulnerability allowed anyone who knows a user’s email address to easily reset their password and hijack their account. All a bad actor needed to do was type in a user’s email address in the password reset page and then pop open the dev tools to get the reset token. By adding that token to the end of the password reset URL, they won’t even need to access the victim’s inbox — that’s the exact link sent to the user’s email anyway. It loads the page where they can input a new password, giving them a way to ultimately take over the victim’s account.

A French security researcher named Wassime Bouimadaghene discovered the flaw and tried to report it to the dating service. When support closed his ticket and he didn’t hear back, he asked help from security expert Troy Hunt who worked with another security expert (Scott Helme) to set up a test account and confirm that the vulnerability does exist. Hunt, who called the issue “one of the most basic account takeover techniques” he’s ever seen, managed to get in touch with Grindr’s security team directly by posting a call for their contact details on Twitter.