At the moment the digital world seems to be a battleground fought over by the law-makers acting in the interests of corporations and companies at risk of substantial financial losses, and the hacktivists representing the everyman, who fight for freedom of speech and the open exchange of information. Then there is a slightly grey(er) area – hacks on networks and other sites that contain the private information of thousands of people. It can’t be argued that you are acting in the interesting of the masses if you start peeping into the everyday lives of people.
But this is exactly what has happened with Grindr, a location-aware smartphone app that allows gay men to meet other gay men within the vicinity, making use of the phones’ GPS capabilities. The news in the last week is that the app’s security has been compromised by a Sydney hacker, potentially exposing intimate personal chats, explicit photos and private information of users.
According to the Sydney Morning Herald, the hacker used the fact that the app uses a string of personalised numbers known as a hash, instead of a username and password to log on, and then discovered that it could be replaced with another user’s hash, enabling the hacker to:
- Log in as any user
- See the user’s favourites
- Change their profile information and profile picture
- Talk to others as the user
- Access pictures sent to the user
- Impersonate a user’s “favourite” and talk to them as a friend
An unnamed security expert demonstrated – with the permission of a user – how he could log in as them and take control of their app. Speaking of Grindr, the security expert said that the app has “no real security… very poorly designed … [with] poor session security and authentication… It wouldn’t be too hard to secure this.”
In response to this security breach, Joel Simkhai (the founder of Grindr and Blendr – an equivalent version of the app for heterosexuals) has said “We are certainly aware of a lot of these vulnerabilities and … they will be fixed as fast as humanly possible”. He went on to add “We are diligently monitoring for hacking and we’ve added dedicated IT security specialists to our team,” he said. “In the coming weeks, we’ll be rolling out a major security upgrade to our platform.”