An unknown hacker has been sending thousands of warning messages to Grindr users in countries that are known to be hostile towards LGBT people, informing them of a security flaw that could allow any government agency or tech savvy person to determine their exact real-time location.
The anonymous tipster claims to have used a secondary flaw to send messages to over 100,000 users in 70 countries with anti-gay laws, some of which make homosexuality punishable by death.
The hacker explains why he went public with the alleged security flaw:
Even without the such a risk: Would you want it to be possible for someone to show on a map, exactly where you are to the point where they could tell if you were using Grindr in the bathroom or on the couch?
NDTV explains the problem in more detail:
The flaw arises from the fact that anyone can query Grindr’s servers using standard JSON (JavaScript Object Notation) without needing to be authenticated. The server’s response will contain whatever information users have added to their profiles, potentially including a photo, text description, age, ethnicity, body type, time last seen online, and relationship status.
Users can choose not to show their location to other users. If this flag is set, the JSON response will not contain location data. The YouTube link included in the anonymous messages and Twitter account leads to a video demonstrating the process in several parts of the world. With a single click, user profiles are displayed as pins on a map.
The second security risk is that message senders can be spoofed, and users can be impersonated. The Pastebin dump contains specific instructions including details of Grindr’s messaging protocols and server addresses. This is how the unknown whistleblower has been sending out hundreds of thousands of messages.
Watch a video showing the alleged Grindr security flaw in action:
A Grindr spokesperson responded to the flaw with the following statement to The Gaily Grind:
When we asked specifically about NDTV’s claims that users who allow their proximity data to be displayed can have their real-time GPS location exposed, Grindr did not have any additional comments.
We will keep you updated on any further developments.
[H/T: NewNowNext]
Show Comments