At Least 100,000 Grindr and Blendr Users’ Naked Photos Now Belong to a Hacker
Over 3 MILLION Global Grindr users should be bracing for the worst today – if the worst is naked pictures of yourself splashed across the internet, or maybe even tweeted out from your own linked Twitter account to all of your followers.
A hacker successfully shared the compromised data of 100,000 Australian Grindr and Blendr users on a website, including naked photos, intimate conversations, and links to users’ social meda handles.
How’d the hacker do it? Well, it turns out that Grindr had absolutely no security features.
The hacker discovered a way to log in as another user, impersonate that user, chat and send photos on their behalf.
The vulnerabilities are also present in Blendr, the straight version of the app, according to a security expert who said both apps had “no real security” and were “poorly designed”. Fairfax Media is not aware that Blendr has been hacked but the potential was there, according to the security expert.
The founder of the apps, Joel Simkhai, conceded both were vulnerable and he was rushing to release a patch to address the issues. He said he had originally been waiting until new architecture was built “within weeks” but was now releasing an update to both apps “over the next few days”.
It is understood the hacker changed the profile picture of numerous Sydney Grindr users to explicit images. One user who was targeted confirmed they had been banned due to a perceived terms of service violation.
A security expert – who did not wish to be named because he didn’t have Mr Simkhai’s permission to analyse his systems – said that the Grindr and Blendr apps “had no real security”.
They are “very poorly designed … [with] poor session security and authentication”, the expert said. ”It wouldn’t be too hard to secure this.”
The article cited above details the controversy in Australia, but there’s no reason to believe this leak is confined only to Oz.
Grindr is recommending that users who who fear a privacy leak permanently delete their accounts manually. Directions can be found here.
(via Sydney Morning Herald)