QUEER VOICES
03/28/2018 03:32 pm ET Updated Mar 28, 2018

Grindr Security Flaws Puts User Privacy At Risk, Bombshell Report Claims

According to NBC, a loophole allows people to access personal information of individual users.
Trever Faden said he was able to access the unread messages, email address, deleted photos and location of Grindr users
Leon Neal via Getty Images
Trever Faden said he was able to access the unread messages, email address, deleted photos and location of Grindr users through a website he created. 

The queer dating and social networking app Grindr reportedly has two major security flaws that put the personal data of its more than 3 million daily users at risk. 

Trever Faden, who is the CEO of property management company Atlas Lane, told NBC he discovered the issues after creating a new site that allowed Grindr users to discover who blocked them on the app. 

Faden’s now-defunct site, called C*ckblocked, required Grindr users to enter their username and password to login into the service and had launched earlier this month. 

However, after entering a Grindr username and password, Faden said he was able to access data not publicly seen on profiles, including unread messages, email addresses, deleted photos and location of individual users. 

Faden also found that some of the information sent to the company’s servers was not encoded, meaning that user locations could be exposed even if they chose to opt out of sharing their location information.

“One could, without too much difficulty or even a huge amount of technological skill, easily pinpoint a user’s exact location,” Faden said. His claims were backed up by two independent cybersecurity researchers, according to NBC. 

A little more than a week before NBC’s report was published, the app tweeted: 

Grindr officials told NBC that they were aware of the security issues Faden had uncovered and that they had changed their system to prevent access to data regarding blocked accounts. It’s unknown if further changes were being planned. 

“Grindr moved quickly to make changes to its platform to resolve this issue,” the company said, according to NBC. “Grindr reminds all users that they should never give away their username and password to any third parties claiming to provide a benefit, as they are not authorized by Grindr and could potentially have malicious intent.”

Privacy concerns stemming from the use of popular dating and social networking apps is hardly a new issue. In 2014, cybersecurity firm Synack found that Grindr allowed users to access profiles and locations of others anywhere in the world. That information, researchers wrote, could “ultimately unmask the identities” of Grindr users who wished to remain anonymous and put them at safety risk.  

That same year, an anonymous tipster reportedly sent messages to Grindr users in countries that have anti-LGBTQ legislation in place or are otherwise hostile to queer people telling them that they could be targeted, persecuted or even murdered as a result of the app’s location sharing data. 

“As part of the Grindr service, users rely on sharing location information with other users as core functionality of the application, and Grindr users can control how this information is displayed,” a spokesperson told HuffPost at the time. “As always, our user security is our top priority and we do our best to keep our Grindr community secure.”

UPDATE: After this story was published, Grindr’s Chief Technology Officer Scott Chen released a statement to HuffPost, which can be found below.  

As a company that serves the LGBTQ community, we more than many, understand the delicate nature of our users’ privacy. Ensuring safety and security of our users is of paramount importance to Grindr. For many years we have worked with numerous international health, digital rights, and privacy organizations as well as community leaders through our Grindr For Equality program to develop and release many safety and security features specifically to help our users in places where it’s not safe to be LGBTQ. 

Grindr monitors the climate of LGBTQ rights and safety around the world. In territories where homosexuality is criminalized, or it is otherwise unsafe to be LGBTQ identified, we deliberately obfuscate the location-based features of our application to protect our users.  We also publish safety guides in local languages across the world to encourage our users to protect themselves from those who would do us harm just because of who we are.

Like any high-profile social network app, we face numerous hacks and attempted security breaches. We zealously defend against these attacks to maintain the safety and security of our users. We also leverage our impressive scale and global team of security researchers to verify and resolve any real security concern as quickly as possible. The company is in the process of implementing a bug bounty program to ensure potential security issues are responsibly disclosed in the future.

That said, anytime a user discloses their login credentials to an unknown third-party, they run the risk of exposing their own profile information, location information, and related metadata. We cannot emphasize this enough: we strongly recommend against our users sharing their personal login information with these websites as they risk exposing information that they have opted out of sharing. 

Grindr is a location-based app. Location is a critical element of our social network platform. This allows our users to feel connected to our community in a world that would seek to isolate us. That said, all information transmitted between a user’s device and our servers is encrypted and communicated in a way that does not reveal your specific location to unknown third parties.

Grindr has and will continue to protect location from being accessed by unknown third parties.

HuffPost

BEFORE YOU GO

CONVERSATIONS