The location-aware all-male dating service Grindr has been the target of a major cyber attack, taking advantage of flaws in the mobile app’s security. An as-yet unidentified hacker was able to use these flaws to access the service’s user accounts, and posted account information online. Though the attack primarily targeted the Australian users, it took advantage of flaws which affect all users and users of the heterosexual targeted version of the service called Blendr.
According to the Sydney Morning Herald, the information posted online was extensive:
At one point, according to sources who saw the website before it was taken down, it listed users’ Grindr pseudonyms, passwords, their personal favourites (bookmarked friends) and allowed them to be impersonated, and thus have messages sent and received without their knowledge. At one point, the website also allowed users’ profile pictures to be replaced.
Several Australian users have reported that their user accounts were accessed and profile pictures were changed to obscene images. Despite the intrusion, Grindr says that information such as addresses, chat logs, and credit card information are not retained by the service and therefore not accessible during the attack.
Grindr acknowledged the security issue in a blog post yesterday, but declined to go into detail. “Like other responsible companies,” wrote CEO Joel Simkhai, “we don’t comment on specifics of security enhancements or allegations about network issues.” Simkhai does say that a website that violated the company’s terms of service was taken down through legal action, and that a mandatory security patch is coming soon. Simkhai didn’t mention it, but concerned users can follow these steps to delete their Grindr accounts.
To access accounts, the hacker was able to duplicate the string of numbers — or “hash” — that the service used to identify users. In their reporting, the Sydney Morning Herald contacted a security specialist who was able to duplicate the intrusion. It seems that security was light in the current version of the apps, but the unnamed expert concluded that securing the service should not be difficult.
Hopefully both the Grindr and Blendr services can be locked down before more damage is done.
(Sydney Morning Herald via Techmeme, image via Grindr)
- Zappos hacked, millions of accounts vulnerable
- Weapons maker hacked; that’s disconcerting
- Gay social network shut down by bank over underwear?
