The location-aware Grindr app enables gay men to meet other gay men who may be just metres away, making use of their smartphone’s Global Positioning System (GPS). It had about 100,000 Australian users as of August last year and more than one million users worldwide.
Now a hacker has pushed the app developer into a security crisis that has left its users seriously vulnerable considering the vast amounts of private information traded through the app – in many cases naked photos.
The hacker discovered a way to log in as another user, impersonate that user, chat and send photos on their behalf.
The vulnerabilities are also present in Blendr, the straight version of the app, according to a security expert who said both apps had "no real security" and were "poorly designed". Fairfax Media is not aware that Blendr has been hacked but the potential was there, according to the security expert.
The founder of the apps, Joel Simkhai, conceded both were vulnerable and he was rushing to release a patch to address the issues. He said he had originally been waiting until new architecture was built "within weeks" but was now releasing an update to both apps "over the next few days".
In a telephone interview about the vulnerabilities last Friday he said it was news to him about the potential for text chats to be monitored and claimed the company had never experienced a "major breach" in which a large portion of users were affected.
"We [do] get people trying to hack into our servers," he said. "That’s something that I am aware of and we certainly have a team in place that are working to prevent that."
But by Tuesday Mr Simkhai admitted that he was "aware of some vulnerabilities" but he would not talk about them in detail to avoid a hacker exploiting them.
"We are certainly aware of a lot of these vulnerabilities and … they will be fixed as fast as humanly possible," he said.
He could not say how many people had attempted to take advantage of the vulnerabilities but said a website created by the hacker had exploited some of the flaws in Grindr. That website was shut down after Friday’s interview with Fairfax Media after he sought legal action.
The website, registered on July 14 last year, allowed the hacker to search for any Grindr user regardless of their location, and capitalised on the vulnerabilities to offer other services not designed by the apps.
Material seen by this website suggests that a number of Australian users had their Twitter profiles linked to Grindr profiles on the web page, making it easier to find users.
At one point, according to sources who saw the website before it was taken down, it listed users’ Grindr pseudonyms, passwords, their personal favourites (bookmarked friends) and allowed them to be impersonated, and thus have messages sent and received without their knowledge. At one point, the website also allowed users’ profile pictures to be replaced.
It is understood the hacker changed the profile picture of numerous Sydney Grindr users to explicit images. One user who was targeted confirmed they had been banned due to a perceived terms of service violation.
It is understood the hacker took advantage of the fact the apps used a personalised string of numbers known as a hash, instead of a user name and password, to log in. The hash is exchanged between users’ smartphones so they can communicate with each other but the hacker discovered it could be replaced with another users’ hash to enable the hacker to:
- Log in as any user
- See the user’s favourites
- Change their profile information and profile picture
- Talk to others as the user
- Access pictures sent to the user
- Impersonate a user’s "favourite" and talk to them as a friend
A security expert – who did not wish to be named because he didn’t have Mr Simkhai’s permission to analyse his systems – said that the Grindr and Blendr apps "had no real security".
They are "very poorly designed … [with] poor session security and authentication", the expert said. "It wouldn’t be too hard to secure this."
The security expert demonstrated with permission of a user how he could log in as them and take over the app.
In a statement Mr Simkhai said keeping his platform secure from hackers was a "number one priority".
Using technological means and legal actions his company had "blocked the offending website and hacker".
"We are diligently monitoring for hacking and we’ve added dedicated IT security specialists to our team," he said. "In the coming weeks, we’ll be rolling out a major security upgrade to our platform."
He maintained conversations on the app could not be monitored. "Not only can chat not be monitored, but since we don’t store chat history on our servers there is no way anyone can access all past chat history."
If users are concerned about their security they can permanently delete their Grindr or Blendr profile following a number of steps on the company’s website, which involves Grindr manually deleting it through a support request.