The gay man locating app Grindr has said it will release a mandatory security update after thousands of Australian users’ accounts were put at risk.
The Sydney Morning Herald reported that a hacker had listed sensitive profile information online, allowing Grindr users to be impersonated.
The app, which has amassed millions of users over nearly three years, can be used on iPhone, Blackberry OS and Android devices in 192 countries around the world.
Grindr said last week only a small number of Australian users had been affected by the hacker’s site, but it would be taking urgent measures to protect security.
The hacker’s site, which has now been taken down, reportedly exploited a gap in Grindr’s security to publicly list users’ profile names, passwords and favourite users.
It also allowed hackers to send and receive messages as a user without that user’s knowledge.
Grindr said on Friday that genuine user chat histories were not compromised as they are not stored by the app.
Address and credit card information was not hacked.
The Sydney Morning Herald reported that the hacker exploited the mechanism through which profiles communicate, a unique sequence of numbers rather than a profile name and password.
When the sequence of numbers was replaced with another user’s numbers, a hacker could reportedly log into any account.
In response to a request about how users around the world would be affected, Joel Simkhai, Grindr’s founder, told PinkNews.co.uk: “Like most other responsible companies, we don’t comment on specifics of security enhancements or allegations about network issues – that wouldn’t serve the security of our users, our networks, or web security in general.
“Based on Grindr’s ongoing investigation, we took legal and technological actions to block a site that violated our terms of service. This site impacted a small number of primarily Australian Grindr users and it remains shut down. Blendr users were not affected by this.
“We continuously make improvements to our platform to increase security across our networks. We are releasing a mandatory update to our apps over the next few days to enhance security. Users will be notified via in-app messaging when the update is available or they can visit twitter.com/grindr. Our users can be assured that Grindr does not retain chat history, hold credit card information or addresses – and no such information was ever compromised.”
Graham Cluley, a security consultant at Sophos is quoted by the Inquirer as saying: “It’s an elementary security mistake that we have seen many websites caught out by before, not that that will be any consolation to the romance-hunting users of Grindr and Blendr.”