
After reporting the blunder to Grindr and getting no joy
Sounds like they were dicks about it...
LGBTQ dating site Grindr has squashed a security bug in its website that could have been trivially exploited to hijack anyone's profile using just the victim's email address. French bug-finder Wassime Bouimadaghene spotted that when you go to the app's website and attempt to reset an account's password using its email address …
Well now they have got to the bottom of the issue, I can only hope they have got on top of things. The really should take along hard look at the bear facts and trans form over to a better set up. It's no good having sub routines or DOMs if it's easy to grindr away at basic URLs to strip away the info for someone's safe word.
Wikipedia, the fount of all knowledge, has this to say about SevOne: "With a cloud-based architecture, it simplifies the extraction, enrichment and analysis of network and machine data from across multi-vendor environments."
Given that their software can be compromised via command injection, SQL injection, and CSV formula injection bugs., they have at least lived up to their billing to simplify extraction, at least for cyber criminals. They may have also made progress on the "enrichment" goal, not sure about the analysis though.
Finally, a company that lives up to their stated purpose, instead of it just being marketing BS.
I'm also routinely annoyed by misspelt/misspelled corporate names. But I have to concede that when doing an on-line search, it's good if your name doesn't collide with existing uses. Looking for 'Grindr' won't get you a lot of offers for butcher's shop tools mixed in with the results.
I've seen worse, much worse. I had the pleasure a few years ago of terminating the contract with an Indian SaaS provider when one of my colleagues noticed by chance that their login page was doing an ajax request to retrieve an array of all usernames and passwords (in plain text) and then simply setting a "logged in" cookie if a match was found to what you entered. Setting the cookie to any valid user ID was enough to get you full access to whatever you wanted. We stopped using the software immediately, needless to say.
This post has been deleted by its author
Biting the hand that feeds IT © 1998–2021