A US tech developer has claimed hookup app Grindr contains a security flaw that can expose sensitive location data of its users, even if they’ve opted out of sharing that information.
Grindr requires its users to send location data from their device to its servers in order for the app to work.
But tech professional Trevor Faden told NBC News that he’d discovered that some of that information is not encrypted before it’s sent.
That means that anyone snooping on internet traffic – for example, on a public Wi-Fi network monitored by a country’s government — could pinpoint the exact location of anyone who opens the app, Faden claimed.
That’s an issue given how sensitive that location data can be to some of the app’s reported 3 million daily users in more than 232 countries around the world.
Homosexuality is illegal in more than 70 countries, 13 of which punish homosexual activity with the death penalty, according to the International Lesbian, Gay, Bisexual, Trans and Intersex Association (ILGA).
Faden first made headlines two weeks ago for creating an online tool called “Cockblocked” that allowed Grindr users to see exactly who had blocked them on the app. Faden built the website to exploit a second, separate flaw he’d found in the app’s coding, he said.
Grindr users were invited to enter their username and password into the website – not affiliated with Grindr – and Faden was able to show the users who had blocked them, as well as access a trove of other personal information and location data, including that of some users who had opted out of sharing it.
Faden shut the “Cockblocked” website down last last week after Grindr fixed the vulnerability it used.
In a statement to NBC News, Grindr said it was aware of the vulnerabilities that Faden had found and had changed its system to prevent access to data regarding blocked accounts.
But the company did not change how its app sends location data openly over the internet, NBC reported.
The company also warned people not to enter their Grindr logins into other third party apps or websites.
“Grindr moved quickly to make changes to its platform to resolve this issue,” the company said in the statement.
“Grindr reminds all users that they should never give away their username and password to any third parties claiming to provide a benefit, as they are not authorized by Grindr and could potentially have malicious intent.”
Important reminder: Never share your Grindr account information or password with third parties. Using unauthorized tools puts your Grindr account at risk. For questions about account security email email@example.com. Safe Grinding!
— Grindr (@Grindr) March 19, 2018