An NBC report suggests that security flaws in the gay dating app Grindr have allowed the personal details and data of millions of users to go unprotected, including their in-app messages and real life locations.
According to NBC, the dating app had contained two security issues (since patched) that potentially exposed the data of its more than three million daily users. That includes users’ private messages to other users, their profile information, and their locations, even if they’d opted out of sharing GPS data, security analysts told NBC.
The flaws were reportedly identified by Grindr user and property management startup CEO Trever Faden, who created a third-party website called C*ckblocked for allowing Grindr users to see who had blocked them on the app. The site required them to enter their Grindr username and password, and once they had done so, Faden told NBC, he found he was able to access users’ profiles, email addresses, deleted photos, unread messages, and other private data.
NBC noted that C*ckblocked exploited a “similar security loophole” to one that was recently shown to have leaked personal data on 50 million people via Facebook.
According to NBC, users who opted out of providing location data to the app could still be located because of such security loopholes. “One could, without too much difficulty or even a huge amount of technological skill, easily pinpoint a user’s exact location,” Faden told the site.
He also claimed that some information being sent to the company’s servers was not encoded, leaving it vulnerable to such breaches.
Officials for Grindr told NBC that they were aware of the security issues and had taken steps to change their system so as to protect data from blocked accounts.
As the Huffington Post pointed out, Grindr is one of many social media and dating apps to have previously endured a security breach. In 2014, cybersecurity researchers found that Grindr users were able to access the profiles and locations of other users anywhere in the world; in 2012, an Australian hacker also managed to impersonate several app users and expose the personal information of hundreds of thousands more.
About a week before NBC’s report was published, HuffPo also noted, Grindr had tweeted out a reminder to users that they should never share their account login information with anyone, nor use outside apps that could compromise user security.