Grindr security flaws risk exposing users' location data

The company behind the gay dating app say they've fixed one exploit, but another remains.

Sponsored Links

David Lumb
March 29th, 2018
In this article: services
Leon Neal via Getty Images
Leon Neal via Getty Images

Two security issues could expose personal data for up to 3 million users of the gay dating app Grindr, according to an NBC OUT report. In the first, a website letting users log in with their Grindr credentials got wide-ranging access to data that isn't publicly available. This includes that user's unread messages, email addresses, deleted photos and real-time location -- even if they've opted out of publicly sharing the latter. But the second simply intercepts unencoded location data going from the app to servers, allowing anyone observing that user's internet traffic to pinpoint their position.

Trever Faden originally discovered the first flaw after creating the website C*ckblocked (asterisk intentional) to scrape data from anyone who logged in with their Grindr username and password. The second would let anyone monitoring web traffic observe the location-pings the Grindr app sends to its servers -- and while that's a creepy thing to do anywhere (like, say, over public Wi-Fi), it's also something that anti-gay governments or groups could use to peek at anyone who might use the service.

We've reached out to Grindr for comment and will add when we hear back. The company assured NBC OUT that the C*ckblock flaw had been fixed (the site was shut down anyway), but the second exploit reportedly remains.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Popular on Engadget