A French security researcher, Wassime Bouimadaghene, has discovered a critical vulnerability in Grindr, which enables hackers to easily highjack users accounts by using the victim’s email. The vulnerability takes advantage of the ‘forgotten password’ feature on the app. This token allows hackers to easily change the password of an account and highjack it. This method is “one of the most basic account takeover techniques” according to one of the researchers who discovered the vulnerability.
Wassime tried to alert the app of the defect by filing a ticket on Grindr’s support page, however, the ticket was deleted. The researcher then decided to contact two other security researcher in order to raise awareness about the vulnerability. The researchers managed to gain the attention of Grindr’s security team by posting about the issue on Twitter.