back to article Imagine running a dating app and being told accounts could be easily hijacked. How did that feel, Grindr?

LGBTQ dating site Grindr has squashed a security bug in its website that could have been trivially exploited to hijack anyone's profile using just the victim's email address. French bug-finder Wassime Bouimadaghene spotted that when you go to the app's website and attempt to reset an account's password using its email address …

  1. Korev Silver badge
    Coat

    After reporting the blunder to Grindr and getting no joy

    Sounds like they were dicks about it...

    1. Hubert Cumberdale Silver badge

      Well they certainly left themselves exposed.

    2. chivo243 Silver badge
      Coat

      there seems to be a cock-up somewhere

      What? Just behind you...

    3. IGotOut Silver badge
      Coat

      Well now they have got to the bottom of the issue, I can only hope they have got on top of things. The really should take along hard look at the bear facts and trans form over to a better set up. It's no good having sub routines or DOMs if it's easy to grindr away at basic URLs to strip away the info for someone's safe word.

  2. Anonymous Coward
    Paris Hilton

    I’m told that senior management there have splashed out on a security consultant or two.

    Paris because she knows all about open back doors.

  3. Warm Braw Silver badge

    Imagine running a dating app and being told accounts could be easily hijacked

    I wouldn't take it lying down.

  4. RM Myers Silver badge
    FAIL

    SevOne lives up to its billing

    Wikipedia, the fount of all knowledge, has this to say about SevOne: "With a cloud-based architecture, it simplifies the extraction, enrichment and analysis of network and machine data from across multi-vendor environments."

    Given that their software can be compromised via command injection, SQL injection, and CSV formula injection bugs., they have at least lived up to their billing to simplify extraction, at least for cyber criminals. They may have also made progress on the "enrichment" goal, not sure about the analysis though.

    Finally, a company that lives up to their stated purpose, instead of it just being marketing BS.

    1. Anonymous Coward
      Anonymous Coward

      Re: SevOne lives up to its billing

      And the connection with Grinder¹ is what exactly?

      ¹ Yes, with an /e/. If they can't spell that's their problem.

      1. Anonymous Coward
        Anonymous Coward

        Re: SevOne lives up to its billing

        Not the OP, but in their defence the article is not just about Grind(e)r.

        There is a clear box-out section talking about SevOne, SQL injection, etc.

        1. Anonymous Coward
          Anonymous Coward

          Re: SevOne lives up to its billing

          > There is a clear box-out section talking about SevOne, SQL injection, etc.

          Not on my computer. Possibly blocked.

      2. Bill Gray

        Re: SevOne lives up to its billing

        I'm also routinely annoyed by misspelt/misspelled corporate names. But I have to concede that when doing an on-line search, it's good if your name doesn't collide with existing uses. Looking for 'Grindr' won't get you a lot of offers for butcher's shop tools mixed in with the results.

        1. Anonymous Coward
          Anonymous Coward

          Re: SevOne lives up to its billing

          > when doing an on-line search, it's good if your name doesn't collide with existing uses

          Yeah, that's why they do it. Well, that and lack of imagination to come up with an actual original name (yes, it's difficult but it does pay off).

  5. BrownishMonstr Bronze badge

    If it was illegal to pay ransomeware crooks, and with large fines if found out, would companies still pay it?

    1. HildyJ Silver badge
      Facepalm

      Ransomware

      Fines just add to the cost of paying the ransom. Unless you make it a criminal charge of aiding and abetting plus make it illegal for insurance companies to cover ransomware payments, you're just changing accounting calculations, you're not changing the game.

    2. Def Silver badge
      Facepalm

      Isn't that essentially the same as taxing ransom payments?

      1. CAPS LOCK Silver badge

        Isn't that essentially the same as taxing ransom payments?

        Shush. Don't give them ideas...

  6. J27 Silver badge

    Putting that token on the reset page is just hillarious. That's the sort of mistake a COMPSCI 101 student would make.

    1. Anonymous Coward
      Anonymous Coward

      I don't get how our why anyone would do that even by mistake!

      1. james_smith

        The developer probably put it there during development to ease testing (taking the email delivery part out of the loop), and in time honoured tradition forgot to remove it once testing was complete.

        1. A.P. Veening Silver badge

          More likely was removed from the project before completion and put on another one without time for a proper handover.

          1. Def Silver badge

            More likely they embellished their Resume with things like "Security Expert" and "Database Wizard" and changed jobs for an equally ridiculous pay rise.

    2. DBH

      I've seen worse, much worse. I had the pleasure a few years ago of terminating the contract with an Indian SaaS provider when one of my colleagues noticed by chance that their login page was doing an ajax request to retrieve an array of all usernames and passwords (in plain text) and then simply setting a "logged in" cookie if a match was found to what you entered. Setting the cookie to any valid user ID was enough to get you full access to whatever you wanted. We stopped using the software immediately, needless to say.

  7. Aussie Doc Bronze badge
    Trollface

    Oo...

    "...After reporting the blunder to Grindr and getting no joy..."

    They were holding it wrong?

    1. Snake Silver badge

      Re: Oo...

      Absolutely NOT, it's just that happy endings are ALWAYS optional extras.

  8. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021