A tech company CEO has exposed two major security flaws in the gay dating app Grindr which could have placed its 3 million daily users at risk by sharing their location data against their will.
Grindr is the world's largest dating app for gay, bixsexual, transgender and queer people according to its website. Trever Faden, founder of property management company Atlas Lane, discovered a flaw in Grindrs Application programming interface (API) that allowed users to find data that was previously unavailable, including deleted photos, which users had blocked them from and the location data of users who had opted out of sharing such information.
Faden exposed this flaw and established the (now-defunct) website C*ckblocked which would sift through users' metadata along with their username and password. “One could, without too much difficulty or even a huge amount of technological skill, easily pinpoint a users exact location,” he explained to NBC.
Faden also discovered a second flaw in the app in which user data was sent unencrypted over the internet. Grindr claims it does encrypt user data and obscures user location despite not specifically denying accusations in the current leak in its statement published on Twitter. RT.com has contacted Grindr for additional comment.
As a company that serves the LGBTQ community, we understand the delicate nature of our users privacy. Ensuring safety and security of our users is of paramount importance to us and will continue to be our top priority. pic.twitter.com/vD2zXqxSr0
— Grindr (@Grindr) March 29, 2018
"Anytime a user discloses their login credentials to an unknown third-party, they run the risk of exposing their own profile information, location information, and related metadata. We cannot emphasize this enough: we strongly recommend against our users sharing their personal login information with these websites as they risk exposing information that they have opted out of sharing,” the company wrote.
“Grindr is a location-based app. Location is a critical element of our social network platform. This allows our users to feel connected to our community in a world that would seek to isolate us. That said, all information transmitted between a users device and our servers is encrypted and communicated in a way that does not reveal your specific location to unknown third parties."
Grindrs API was patched on March 23 but the damage may have already been done. Grindr has users in 234 countries and territories worldwide but homosexuality is still illegal in more than 70 countries, and is punishable by death in at least 13, according to a 2016 report by the International Lesbian, Gay, Bisexual, Trans and Intersex Association (ILGA). Grindr users have been arrested in sting operations conducted by undercover police in Egypt, for example.
“In territories where homosexuality is criminalized, or its otherwise unsafe to be LGBTQ identified, we deliberately obfuscate the location-based features of our application to protect our users,” the company added in its recent statement.
The issues have come to light amid a major privacy scandal over Facebook in relation to the alleged leak of private user data of up to 50 million people via a third-party quiz on the platform.
Think your friends would be interested? Share this story!