Grindr, a hugely popular location-based smartphone app used by the gay community to find potential hook-ups, contains a serious security flaw that puts members' photos and passwords in the hands of hackers.
The bug, discovered by an unnamed Australian hacker, allows unauthorized users to exploit the app's sign-in feature — which asks for a password hash rather than a password or user name — to access members' profiles, view and share their explicit photos and impersonate them to send chat messages.
"As the photos and communications that can be exchanged can be of a — how shall I put this? — delicate nature, you can understand the potential problems," Graham Cluley, from the security company Sophos, wrote.
With more than half-a-million registered users, Grindr, a free app for Android, iPhone and Blackberry launched in 2009, makes use of a smartphone's GPS to display a grid of all the men in the vicinity based on location. The grid includes the user's picture and how far away he is; tapping on a picture displays a brief profile (name and personal details), with the option to chat, send photos or share location. The flaw was also found in Blendr, a straight version of the app.
A statement from a public-relations firm representing Grindr disputed that Blendr was affected.
The Sydney Morning Herald reported that the hacker took advantage of the basic authentication vulnerability to change the profile pictures of numerous Sydney Grindr users to explicit images, and even created a website to expose Grindr users' names, passwords and bookmarked friends. The site was shut down today (Jan. 20).
Grindr's founder, Joel Simkhai, is aware of the security flaw and said the app will be patched in the next few days and that a major security upgrade will be released in the coming weeks.
"As a result of Grindr's ongoing investigation, we took legal and technological actions to block a site that violated our terms of service. This site impacted a small number of primarily Australian Grindr users and it remains shut down," a statement attributable to Simkhai and issued by the PR firm said. "Blendr users were not affected by this."
"We are releasing a mandatory update to our apps over the next few days to enhance security. When the update is available, users will be notified via in-app messaging, on Twitter and on the Grindr blog," the statement read. "Our users can be assured that Grindr does not retain chat history, credit card information, or addresses — and no such information was ever compromised."
With a location-based program such as Grindr, it's important to keep user privacy and security a priority even when taking advantage of the app's unique geolocation feature. Make sure, before you download and begin using an app, that you read the permissions, and don't use it if you feel uncomfortable with the amount of personal data an app wants to access.