[djaque]

I guess the good news is that it requires knowledge of the user's email address to execute. You can't just run it on random people (emails aren't disclosed) and even if you know someone on the app in real life, chances are good that they use a personal address that you won't have.

Still a pretty bad vulnerability and pretty awful that grindr was ignoring it.

[sebmellen]

Imagine someone running their contact list through this. You could find everyone you know on Grindr right away, and snoop on their conversations and read their personal info...

Not only that, but emails are very easy to find these days with tools like apollo.io.

[djaque]

Good point, even just being able to use it as a tool to play "gay or not" has some pretty aweful implications for people who aren't openly gay.

[staplor]

Yes, but even if the referenced security risk is patched you would still be able to find out if some has an account or not since a password reset page will tell you if it has successfully sent an email to an account.

[Nextgrid]

A good password reset page would not disclose such a fact (it would return a successful response with a message "if this email exists, we'll email you" regardless of whether it actually exists) however attempting to create an account would disclose that fact by rejecting an account creation attempt with an existing email, unless they use emails purely as communication channels and accounts are uniquely identified by username/account number instead.

[joshuaissac]

>however attempting to create an account would disclose that fact by rejecting an account creation attempt with an existing email, unless they use emails purely as communication channels

They can tell the user to await an e-mail from them with the confirmation link. Then if the e-mail address is already in use, send an e-mail saying, "somebody, probably you, tried to register as <new-username> on <site> but we have you down as <old-username> already". Otherwise, send a normal confirmation link.

[Nextgrid]

This is a very good idea I haven't thought about, thanks!

[Traubenfuchs]

Grindr saves on storage costs as much as they can. Messages are sent from the backend to a device only once. You can not read old conversations. You can not even see who this account has been talking to. They are only kept on the server until someone logs into the app again.

This also makes it very easy to lose conversations/content.

[withinboredom]

Social engineering trick: "Hey can you take our picture, my phone is dead, so can you just email it to me?"

[nickff]

It would be very easy to target a large group of individuals at a given organization.

[jdminhbg]

> even if you knkw someone on the app, chances are good that they use a personal address that you won't have

I doubt that; I bet most users use whatever Gmail/etc personal address they use for other non-work accounts.

[perardi]

Extremely anecdotally: it’s [person_name]@gmail.com

I know of very few friends who go through the process of creating a burner email account to sign up for Grindr. Now, maybe that’s different in other countries, but at least in the States, I would bet good money you can guess their Gmail address.

[johnday]

In the case of gmail accounts you could simply prepend +grindr or any other name to the user part of the email address to get something (relatively) unguessable.

[jdminhbg]

You could do that, but most users don't.