Two security issues could expose personal data for up to 3 million users of the gay dating app Grindr, according to an NBC OUT report. In the first, a website letting users log in with their Grindr credentials got wide-ranging access to data that isn't publicly available. This includes that user's unread messages, email addresses, deleted photos and real-time location -- even if they've opted out of publicly sharing the latter. But the second simply intercepts unencoded location data going from the app to servers, allowing anyone observing that user's internet traffic to pinpoint their position.
Trever Faden originally discovered the first flaw after creating the website C*ckblocked (asterisk intentional) to scrape data from anyone who logged in with their Grindr username and password. The second would let anyone monitoring web traffic observe the location-pings the Grindr app sends to its servers -- and while that's a creepy thing to do anywhere (like, say, over public Wi-Fi), it's also something that anti-gay governments or groups could use to peek at anyone who might use the service.
We've reached out to Grindr for comment and will add when we hear back. The company assured NBC OUT that the C*ckblock flaw had been fixed (the site was shut down anyway), but the second exploit reportedly remains.