Grindr는 모든 사용자 계정을 완전히 탈취 할 수있는 버그를 수정했습니다.

newsroom 10/4 '20 posted 뉴스 IT

• 인기있는 LGBT + 연결 앱인 Grindr는 해커가 사용자의 등록된 이메일 주소를 알고있는 경우 모든 계정을 탈취 할 수있는 눈에 띄는 보안 결함을 수정했다고 TechCrunch는 보도했습니다.

• 프랑스 보안 연구원 인 Wassime Bouimadaghene은 원래 9 월에 취약점을 발견했습니다.

• 고맙게도 우리는 악의적인 당사자가 악용하기 전에 문제를 해결했다고 믿습니다.

• Hunt는 Scott Helme가 설정한 테스트 계정의 도움을 받아 취약점을 테스트하고 확인했으며 그의 발견 사항을 TechCrunch와 공유했습니다.

• 그 조작된 링크를 사용하여 악의적인 사용자가 계정 소유자 암호를 재설정하고 계정의 사진, 메시지, 성적 취향, HIV 상태, 최종 테스트 날짜 등 계정과 거기에 저장되어있는 개인 데이터에 액세스할 수 있습니다.

• Hunt는“이것은 내가 본 것 중 가장 기본적인 계정 탈취 기술 중 하나입니다.

• Grindr의 최고 운영 책임자인 Rick Marini는 성명에서 TechCrunch에 다음과 같이 말했습니다.“취약점을 확인한 연구원에게 감사드립니다.

• 또한 연구원들이 향후 서비스를 안전하게 유지하는 데 도움이되는 추가 인센티브를 제공하는 새로운 버그 바운티 프로그램을 곧 발표 할 것입니다.”라고 회사는 말했습니다.

• Grindr는 올해 초 중국 소유주인 베이징 Kunlun이 중국 소유가 국가 안보 위협을 구성한다는 비난에 따라 주로 미국인들이 주도하는 로스 앤젤레스에 본사를 둔 회사에 매각되었습니다.

• Grindr는 공격자가 사용자의 이메일 주소를 알고있는 경우 Grindr 계정을 쉽게 도용할 수있는 보안 결함을 수정했습니다.

• 취약점을 발견한 프랑스 보안 연구원 Wassime Bouimadaghene은 여러 채널을 통해 보고하는 데 실패한 후 Troy Hunt에게 Grindr에게 연락 할 수 있도록 도움을 요청했습니다.

Paying Evil Corp Ransomware Might Land You a Big Federal Fine [www.wired.com]

Hacking Grindr Accounts with Copy and Paste [www.troyhunt.com]

A security flaw in Grindr let anyone easily hijack user accounts [techcrunch.com]

Grindr fixes issue that let hackers easily hijack accounts [gizmodo.com]

Just a moment... [www.bleepingcomputer.com]

Grindr Vulnerability Allowed Takeover With Just Email Address [www.socaltech.com]

newest replies popular replies

Open Wiki - Feel free to edit it. -

10/4 '20 answered

The bug is now fixed, thanks to @wasbou reporting the issue. @troyhunt and @scott_helme also verified the bug. “This is one of the most basic account takeover techniques I’ve seen." Any who knew where to look could've hijacked a Grindr account in seconds.https://t.co/BeFrrLRN8Z
— Zack Whittaker (@zackwhittaker) October 2, 2020

This vulnerability was definitely a critical issue. Concerning a company the size of Grindr could have such a flaw. https://t.co/0PtHFdRvW8
— Sean Wright (@SeanWrightSec) October 2, 2020

It’s literally copy-paste. “This is one of the most basic account takeover techniques I've seen.” More details on the Grindr vuln by @troyhunt: https://t.co/8PyBH2SOhA
— kyrah (@kyrah) October 3, 2020

So this is bad. https://t.co/zoommh3pYb
— Eva (@evacide) October 2, 2020

Whist we try not to 'over-egg the pudding' in these matters, this was a trivial attack to hack into and fully takeover *any* Grindr account you wanted, it's pretty bad: https://t.co/jp77PqZly2 @troyhunt @wasbou
— Scott Helme (@Scott_Helme) October 2, 2020

New: A major security vulnerability in dating app Grindr allowed anyone with a user's email address to reset their password, hijack their account, and access their private data.https://t.co/yZPgKkF2FU
— Zack Whittaker (@zackwhittaker) October 2, 2020

lol hard to believe this wasn't intentionalhttps://t.co/SmuTYWefp1
— Paul Gold ? (@RealOldPaul) October 3, 2020

apologies to everyone who received my unsolicited nudes during this security breach https://t.co/hdDpyg3Vy0
— Shon (@shonwashed) October 3, 2020

Here's how it worked: A user resets their password, and the password reset token is sent as a clickable link to the user's email. But the token was also leaked to the browser, making it very easy for an attacker to create their own password reset link.

➡️ https://t.co/mupvYuZDSh pic.twitter.com/xlvSKQUFQv
— Zack Whittaker (@zackwhittaker) October 2, 2020

“Grindr has fixed a security vulnerability that allowed anyone to hijack and take control of any user’s account using only their email address.” I wonder how such basic flaws ever make it into prod? https://t.co/XZpOVNEz6j
— kyrah (@kyrah) October 3, 2020

So here's the @Grindr story and how a simple vulnerability found by @wasbou made it trivial to takeover @Scott_Helme's account by copying and pasting a token out of the password reset response page: https://t.co/HCE6O1Vltf
— Troy Hunt (@troyhunt) October 2, 2020

Just blogged: Hacking Grindr Accounts with Copy and Paste https://t.co/IconP1ndsd
— Troy Hunt (@troyhunt) October 2, 2020

lol hard to believe this wasn't intentionalhttps://t.co/SmuTYWefp1
— Paul Gold ? (@RealOldPaul) October 3, 2020

Whist we try not to 'over-egg the pudding' in these matters, this was a trivial attack to hack into and fully takeover *any* Grindr account you wanted, it's pretty bad: https://t.co/jp77PqZly2 @troyhunt @wasbou
— Scott Helme (@Scott_Helme) October 2, 2020

A security flaw in #Grindr let anyone easily hijack user accounts.
? https://t.co/EYULylCbi5 #Infosec #CyberSecurity #CISO #InfoSecurity #socialMedia #DataBreach #DataPrivacy pic.twitter.com/7hwXySWRzD
— Stéphane Nappo (@StephaneNappo) October 2, 2020

.@Grindr fixed a bug allowing full takeover of any user account
By @BleepinComputer https://t.co/M2jLj8So3v #CyberSecurity #Infosec #technology
Cc: @archonsec @todddlyle @PVynckier @fogle_shane @AudreyDesisto @Victoryabro @BillMew @CioAmaro @Corix_JC @_SChmielewski @RagusoSergio pic.twitter.com/jqoRkxnKy1
— Fabrizio Bustamante (@Fabriziobustama) October 3, 2020

Grindr fixed a bug allowing full takeover of any user account https://t.co/fNJ3qoyFvc
— Nicolas Krassas (@Dinosn) October 3, 2020

permanent link

Open Wiki - Feel free to edit it. -

10/4 '20 answered

Hacking Grindr Accounts with Copy and Paste https://t.co/mZEArqBgh8
— /r/netsec (@_r_netsec) October 3, 2020

@troyhunt THIS is the best post!!! Have to thank you for making me laugh in 2020, while helping to keep people online safe.

Hat tip ? Wassime BOUIMADAGHENE and Scott Helme @Scott_Helme.https://t.co/RdMkd0BFJT
— Carlos Court (@LeButcha) October 3, 2020

Fuck this is dreadful. I mean, fine, Grindr did the right thing *once* the tweet got some attention (and good for them for raising a bounty programme afterwards) but still... how did not even the most basic developer see this flaw?https://t.co/qoDyKTE0R8
— Chris Ward :: #BlackLivesMatter #TransLivesMatter (@christopherward) October 3, 2020

Grindr has fixed a security vulnerability that allowed anyone to hijack and take control of any user’s account using only their email address.
https://t.co/E4veExYAij
— Adam Levin (@Adam_K_Levin) October 3, 2020

permanent link

Featured

Important Notice: Discontinuation of Our Wiki Service

Dear Valued Users,

We hope this message finds you well. We are writing to inform you of an important upcoming change to our services. After careful consideration and analysis, we have made the difficult decision to discontinue our wiki site, effective one month from 2024/04/30.

This was not an easy decision to make, as we understand the importance of the resources and community that have been built around our wiki. However, due to evolving market conditions and strategic realignments, we must redirect our resources and efforts towards other ventures that will allow us to serve you better in the future.

What This Means for You:

Access to Content: You will continue to have full access to all content on the wiki until the discontinuation date. We encourage you to save or migrate any content you wish to retain.
Final Date of Service: The wiki will become inaccessible starting 1st June 2024, after which all content will be permanently removed.

We are immensely grateful for the support and contributions of our user community throughout the years. The wiki is being retired, but our team will be back soon with new services and apps.

Thank you for being a part of our journey.

Warm regards,

editoy Inc.

Related

Featured