Imagine running a dating app and being told accounts could be easily hijacked. How did that feel, Grindr?

Saturday 3rd October 2020 10:31 GMT Korev

After reporting the blunder to Grindr and getting no joy

Sounds like they were dicks about it...

15 0 Reply
1. Saturday 3rd October 2020 11:41 GMT Hubert Cumberdale
  
  Well they certainly left themselves exposed.
  
  9 0 Reply
2. Saturday 3rd October 2020 17:55 GMT chivo243
  
  there seems to be a cock-up somewhere
  
  What? Just behind you...
  
  11 0 Reply
3. Monday 5th October 2020 09:57 GMT IGotOut
  
  Well now they have got to the bottom of the issue, I can only hope they have got on top of things. The really should take along hard look at the bear facts and trans form over to a better set up. It's no good having sub routines or DOMs if it's easy to grindr away at basic URLs to strip away the info for someone's safe word.
  
  2 1 Reply
Saturday 3rd October 2020 10:59 GMT Anonymous Coward

I’m told that senior management there have splashed out on a security consultant or two.

Paris because she knows all about open back doors.

6 0 Reply
Saturday 3rd October 2020 11:41 GMT Warm Braw

Imagine running a dating app and being told accounts could be easily hijacked

I wouldn't take it lying down.

8 0 Reply
Saturday 3rd October 2020 17:06 GMT RM Myers

SevOne lives up to its billing

Wikipedia, the fount of all knowledge, has this to say about SevOne: "With a cloud-based architecture, it simplifies the extraction, enrichment and analysis of network and machine data from across multi-vendor environments."

Given that their software can be compromised via command injection, SQL injection, and CSV formula injection bugs., they have at least lived up to their billing to simplify extraction, at least for cyber criminals. They may have also made progress on the "enrichment" goal, not sure about the analysis though.

Finally, a company that lives up to their stated purpose, instead of it just being marketing BS.

8 0 Reply
1. Saturday 3rd October 2020 19:22 GMT Anonymous Coward
  
  Re: SevOne lives up to its billing
  
  And the connection with Grinder¹ is what exactly?
  
  ¹ Yes, with an /e/. If they can't spell that's their problem.
  
  2 11 Reply
  1. Sunday 4th October 2020 08:28 GMT Anonymous Coward
    
    Re: SevOne lives up to its billing
    
    Not the OP, but in their defence the article is not just about Grind(e)r.
    
    There is a clear box-out section talking about SevOne, SQL injection, etc.
    
    3 0 Reply
    1. Wednesday 7th October 2020 21:55 GMT Anonymous Coward
      
      Re: SevOne lives up to its billing
      
      > There is a clear box-out section talking about SevOne, SQL injection, etc.
      
      Not on my computer. Possibly blocked.
      
      0 0 Reply
  2. Sunday 4th October 2020 16:57 GMT Bill Gray
    
    Re: SevOne lives up to its billing
    
    I'm also routinely annoyed by misspelt/misspelled corporate names. But I have to concede that when doing an on-line search, it's good if your name doesn't collide with existing uses. Looking for 'Grindr' won't get you a lot of offers for butcher's shop tools mixed in with the results.
    
    1 0 Reply
    1. Wednesday 7th October 2020 21:58 GMT Anonymous Coward
      
      Re: SevOne lives up to its billing
      
      > when doing an on-line search, it's good if your name doesn't collide with existing uses
      
      Yeah, that's why they do it. Well, that and lack of imagination to come up with an actual original name (yes, it's difficult but it does pay off).
      
      0 0 Reply
Saturday 3rd October 2020 18:33 GMT BrownishMonstr

If it was illegal to pay ransomeware crooks, and with large fines if found out, would companies still pay it?

3 0 Reply
1. Saturday 3rd October 2020 19:21 GMT HildyJ
  
  Ransomware
  
  Fines just add to the cost of paying the ransom. Unless you make it a criminal charge of aiding and abetting plus make it illegal for insurance companies to cover ransomware payments, you're just changing accounting calculations, you're not changing the game.
  
  7 0 Reply
2. Sunday 4th October 2020 08:47 GMT Def
  
  Isn't that essentially the same as taxing ransom payments?
  
  5 0 Reply
  1. Tuesday 6th October 2020 13:26 GMT CAPS LOCK
    
    Isn't that essentially the same as taxing ransom payments?
    
    Shush. Don't give them ideas...
    
    0 0 Reply
Saturday 3rd October 2020 21:53 GMT J27

Putting that token on the reset page is just hillarious. That's the sort of mistake a COMPSCI 101 student would make.

0 0 Reply
1. Sunday 4th October 2020 09:50 GMT Anonymous Coward
  
  I don't get how our why anyone would do that even by mistake!
  
  3 0 Reply
  1. Sunday 4th October 2020 12:13 GMT james_smith
    
    The developer probably put it there during development to ease testing (taking the email delivery part out of the loop), and in time honoured tradition forgot to remove it once testing was complete.
    
    8 0 Reply
    1. Sunday 4th October 2020 14:04 GMT A.P. Veening
      
      More likely was removed from the project before completion and put on another one without time for a proper handover.
      
      4 0 Reply
      1. Monday 5th October 2020 11:27 GMT Def
        
        More likely they embellished their Resume with things like "Security Expert" and "Database Wizard" and changed jobs for an equally ridiculous pay rise.
        
        2 0 Reply
2. Tuesday 6th October 2020 06:13 GMT DBH
  
  I've seen worse, much worse. I had the pleasure a few years ago of terminating the contract with an Indian SaaS provider when one of my colleagues noticed by chance that their login page was doing an ajax request to retrieve an array of all usernames and passwords (in plain text) and then simply setting a "logged in" cookie if a match was found to what you entered. Setting the cookie to any valid user ID was enough to get you full access to whatever you wanted. We stopped using the software immediately, needless to say.
  
  0 0 Reply
Monday 5th October 2020 03:21 GMT Aussie Doc

Oo...

"...After reporting the blunder to Grindr and getting no joy..."

They were holding it wrong?

2 0 Reply
1. Tuesday 6th October 2020 01:55 GMT Snake
  
  Re: Oo...
  
  Absolutely NOT, it's just that happy endings are ALWAYS optional extras.
  
  0 0 Reply
This post has been deleted by its author