Actually, Grindr is okay: FUD and Protection Reporting
A story which ticks a couple hot-button topics for security professionals and security reporters alike on Wednesday, March 28, NBC reported Grindr security flaws expose users’ location data. It’s centered across the salacious subject of online dating sites in the LGBT community, and hits a individual security concern for folks utilizing the application everywhere, as well as the likelihood of outing LGBT individuals in areas where being homosexual, bisexual, or trans is illegal or dangerous.
Regrettably, this tale is accountable of a number of the kind that is worst of FUD — fear, doubt, and question — that still takes place when some journalists cover our industry. I am right right here to share with you, dear Grindr user, you’ll find nothing taking place at Grindr that is unreasonably exposing where you are information. In this instance, the angel is within the details.
What’s Not Just A Vuln
Eventually, once you see the the NBC tale, you can observe where this reporting shifts from news to FUD:
His site permitted users to see who blocked them on Grindr once they entered their Grindr password. Once they did so…
I’m going to simply stop you immediately, because this is a fairly big flag that is red this described vulnerability. “After they entered their Grindr account,” means, “After the consumer voluntarily compromised themselves.” Any vulnerability that reveals individual information that depends totally on already obtaining the bit that is best of individual information available — the password — is not a vulnerability.
Needless to say, I’d to be something that is missing. Perhaps there is some privilege escalation trick in play that allow the attacker, equipped with any password and username, see other people’s information, or all the data, or something that way like this. Also, the place information bit seemed down, too — I became pretty Grindr that is sure used SSL and normal API calls for location solutions, thus I ended up beingn’t yes just what the place visibility had been about. Did that also depend on already getting the user’s password?
Phishing for LOLs
The next day to ask for his write up, since I didn’t see that linked in any of the stories to get to the bottom of this, I got on the phone with Trever Faden. Ends up, he didn’t do any research that is formal. Trever is really a good man and a smart internet solutions designer, but he said bluntly that he’s “not a protection specialist.” With that caveat, he then enthusiastically described that which was really taking place with Grindr along with his very own solution, C*ck Blocked (hereafter known as “CB”).
CB worked similar to this: You, a Grindr user, provide a password and username. CB turns around and authenticates to Grindr, while you, and makes a normal-looking api ask for status, and that reaction includes a range of users who possess obstructed you.
Now, you could make a disagreement that this might be an information disclosure, kinda-sorta similar to the issue that is yopify disclosed very nearly this past year. Often APIs offer data that is delicate, and depend on client-side defenses to help keep that data private. However, the details on whom blocked you is not really all that sensitive and painful; it is often pretty apparent to your user as soon as the suspected blocker abruptly vanishes, and simple to validate by simply creating a brand new account. Therefore, that isn’t plenty a security vulnerability, but a lot more of a computer software misfeature.
No matter what you cut it, however, it can all already depend on learning the person’s password, even though Trever positively may seem like a stand up man, there’s no chance to make sure that he wasn’t secretly signing all 16,000 or so people’s account qualifications. In the event that you supplied CB your password, you ought to change it out straight away.
Your Location Is (Mostly) Safe
One other issue identified is about the area solutions that Grindr requires for its match-making. While users can choose out of showing their location, Grindr nevertheless gathers it, plus it’s nevertheless transmitted to Grindr HQ in Ca. Since Ca is a land of guidelines, important computer data might be restored by individuals who have subpoena energy.
The issue that is real by Trever is the fact that as the Grindr app enforces SSL certificate pinning, Apple iOS does make it simple enough to subvert the execution by setting up an innovative new trusted certificate authority (CA). Now, we’re big fans of cert pinning, and our Deral that is own Heiland talked at size about its virtues, and I also’m happily surprised that Grindr employs it, despite the fact that somebody with os control could disable it.
This OS control requirement is yet another flag that is red. It’s a walk that is really long get from “An attacker with real usage of the telephone can MITM Grindr data because it departs the telephone” to NBC’s “passive observers of internet traffic [. ] can recognize the area of anybody who opens the app.” The observer, in cases like this, needs to perform a substantial number of strive to be in that privileged place, and should not perform this assault throughout the system — they have to have trusted, physical usage of these devices to be able to affect the kept, trusted certificates.
FUD Hurts
In the end, i believe the point that bugged me personally the absolute most about that story on Grindr is not that this article gets some details that are technical, and sometimes even that the reporter overstated the chance. We have a nagging issue aided by the tone. Imagine Grindr users taking a look at this headline, skimming the facts, then getting frightened from the ongoing service, never to return. A lot of individuals within the LGBT community have actually individual circumstances where finding suitable individuals to date can range between problematic to dangerous. For the snickering about Grindr (and comparable apps) being simply ideal for anonymous hook-ups, I’m sure lots of individuals have discovered happiness that is true peoples connections through Grindr, and demonizing the application, or other people want it, is unneeded and misses the purpose.
If there have been real weaknesses and real danger posed to Grindr users, i might be very first in line to tsk-tsk Grindr LLC, and complain, loudly, it comes to personal privacy and physical safety that they have a special responsibility to their users when. But, there’s really very little right right here. However in the conclusion, Grindr hasn’t done any such thing wrong right right here, and their application is simply as safe as the the greater part of dating and social apps.
Upgrade (Monday, April 2, 2018): it seems that the Grindr app is, in reality, sharing some information over cleartext HTTP (compared to encrypted HTTPS) through its utilization of embedded advertising sites and analytics providers. This might be in accordance with research posted on GitHub by SINTEF, a research organization that is norwegian. To be able to intercept this data (which include GPS data), an attacker would nevertheless have to have a privileged place in the community, like the victim’s WiFi router or an ISP router, but will never have to compromise the device or install a bogus CA root certificate anywhere. Given that Grindr is alert to this dilemma, we anticipate them to upgrade their software to ensure any information that is personally identifyingPII) is sent making use of normally-encrypted networks. As guaranteed above, we have always been admonishing Grindr about that execution.