Editor’s Note: A correction has been appended to this article.
Grindr, a gay-dating app, suffers from a security issue that can expose the information of its more than 3 million daily users, including the location data of people who have opted out of sharing such information, according to cybersecurity experts.
The security flaw was identified by Trever Faden, CEO of the property management startup Atlas Lane, after he created a website called C*ckblocked (the asterisk is part of the name of the service). His website allowed users to see who blocked them on Grindr after they entered their Grindr username and password. Once they did so, Faden was able to gain access to a trove of user data that is not publicly available on user profiles, including unread messages, email addresses, deleted photos, and the location data of users, some of whom have opted to not share their locations publicly.
Faden’s website exploited a similar security loophole to the one that leaked the information of 50 million Facebook users through a quiz connected to the social network, highlighting the risk that people face in using existing social media accounts to log in to other services.
Grindr makes public the location of many of its users, but allows for users to opt out of this feature. Faden found that he could find the location of users who had opted out if they connected their Grindr profiles through his third-party website.
“One could, without too much difficulty or even a huge amount of technological skill, easily pinpoint a user's exact location," Faden explained. Two independent cybersecurity researchers, neither affiliated with Faden nor Grindr, backed up Faden's claim.
In a statement issued to NBC News, Grindr said it was aware of the vulnerability that Faden had found and had changed its system to prevent access to data regarding blocked accounts. The company did not change access to any of the other data. After Grindr changed its policy on access to data on which users had blocked other users, Faden shut down his website.
The company also warned people not to use their Grindr logins for other apps or websites.
“Grindr moved quickly to make changes to its platform to resolve this issue,” the company said in the statement. “Grindr reminds all users that they should never give away their username and password to any third parties claiming to provide a benefit, as they are not authorized by Grindr and could potentially have malicious intent.”
The company also used Twitter to warn users against sharing their information with third parties. “Using unauthorized tools puts your Grindr account at risk,” the tweet stated.
"It’s a feature, not a bug,” Faden said, characterizing conversations he had with employees at Grindr about the availability of location data.
Faden said that he did not share or collect any user data to which he was given access other than telling Grindr users that accessed his website who had blocked them on the app.
This is not the first time that issues with Grindr’s security around location data has been reported.
Grindr’s security issues first came to light in 2014, when security researchers at cybersecurity firm Synack found that Grindr let any user see the profiles and locations of people anywhere in the world. Grindr did make some changes, allowing users to turn off its pinpoint location function and turning off the default location option in countries where gay people face violence and persecution. Two years after the location data was first revealed and addressed by Grindr, security researchers found they were still able to figure out users’ locations.
Location data for Grindr users is particularly sensitive. Grindr has users in 234 countries and territories around the world. Homosexuality is illegal in more than 70 nations, and 13 of them implement the death penalty for homosexual acts, according to a 2016 report by the International Lesbian, Gay, Bisexual, Trans and Intersex Association (ILGA).
Cooper Quintin, a security researcher at the Electronic Frontier Foundation, reviewed Faden’s findings and confirmed the flaw.
“There are a million reasons why you might not want someone to find your location through Grindr, and Grindr is dealing with that as a non-issue,” Quintin said. “They’re putting people’s lives at risk by doing that.”
In addition to the new security flaw, Faden also demonstrated the ease and speed with which he could find users who had not opted out of sharing location data.
NBC News created a new account on the service, and Faden pinpointed its location almost immediately.
The screenshot below, sent by Faden, shows that he was able to find the new profile, which was pinpointed down to the area of the building in which the user was located, in a matter of minutes. This capability is open to any user that joins the app and requires no verification or authentication.
The data flaw raises questions about the security of Grindr's users around the world. Among the experts raising concerns is Harlo Holmes, director of newsroom digital security at the Freedom of the Press Foundation. Holmes said it’s important that companies like Grindr, which gather deeply personal information from users, not let that data fall into the wrong hands.
“Dating apps must especially take care to protect users from letting bad actors access sensitive data,” Holmes said. “This type of info exposure betrays our trust that the service can determine what fields of data should be public and private.”
Holmes said unlike Twitter, which is more public and which is transparent about who has blocked whom, Grindr introduces the additional layer of sexual orientation, and the release of a user's personal information could lead to increased stalking and other forms of sex-based harassment.
“LGBTQ folks have vastly different legal standing across countries and continents,” Holmes added.
C*ckblocked — which was neither associated with Grindr nor the Chinese gaming company Beijing Kunlun Tech, which owns a majority stake in Grindr — first went live on Friday, March 16. By the following Wednesday, nearly 50,000 people had signed on to the service with the emails and passwords they use for their personal Grindr accounts, according to Faden. His algorithm took the authentication tokens sent back from Grindr servers, then accessed each user’s metadata to show them who blocked their accounts. Faden said he did not store their login information.
Norman Shamas, an independent cyber security consultant, said the initial landing page of C*ckblocked resembled any standard phishing scam.
“When I saw it, my immediate thought was, ‘This is a very similar social engineering attack to a phishing site,’” Shamas said. “My response is to tell people to not type anything in and not use it.”
Shamas said while Faden may not have created the site with malicious intent, there are risks when giving login information to third parties. Teaching people to trust services like C*ckblocked, Shamas added, could make future attacks with malicious intent more successful.
Shamas also shared concerns about an article posted to Grindr-owned digital publication INTO. The outlet published an article about C*ckblocked earlier this month that seemingly glossed over the data aspect, focusing instead on how the third-party service exposed the pattern of white men blocking men of color on the app.
"They normalized this app by having this article up, and it’s not really doing anything," Shamas said, expressing concern that the article appears to be promoting a third-party product which has gained access to sensitive personal information. Shamas also expressed concern that the article could inspire more services that phish login information from users.
“If there’s a desire for third-party apps, then building out some sort of interface, like with Facebook, where they could control the data ... that could help mitigate the risk against someone going to a place like C*ckblocked," Shamas said.
For his part, Faden maintains he has no intention of using the data his website has harvested for nefarious purposes. He also warned, however, that it can be easy to bypass even the best online security measures.
“The single weakest point in most security chains is often the human element,” he said. “Not backdoors, not weak authentication schemes — just people with malicious intent that know enough to dupe other people.”
Editor's Note: The author of this article contributed an unpaid personal essay to INTO, Grindr's website, in November, 2017.
CORRECTION (March 30, 2018, 9:34 a.m. ET): An earlier version of this article included an incorrect assertion about the security of Grindr location data. The Grindr app uses technology that blocks observers of internet traffic from intercepting or seeing location information; Grindr location data was not improperly secured and cannot be seen by passive observers of internet traffic. The incorrect information has been removed from this article.