[sebmellen]

Imagine someone running their contact list through this. You could find everyone you know on Grindr right away, and snoop on their conversations and read their personal info...

Not only that, but emails are very easy to find these days with tools like apollo.io.

[djaque]

Good point, even just being able to use it as a tool to play "gay or not" has some pretty aweful implications for people who aren't openly gay.

[staplor]

Yes, but even if the referenced security risk is patched you would still be able to find out if some has an account or not since a password reset page will tell you if it has successfully sent an email to an account.

[Nextgrid]

A good password reset page would not disclose such a fact (it would return a successful response with a message "if this email exists, we'll email you" regardless of whether it actually exists) however attempting to create an account would disclose that fact by rejecting an account creation attempt with an existing email, unless they use emails purely as communication channels and accounts are uniquely identified by username/account number instead.

[joshuaissac]

>however attempting to create an account would disclose that fact by rejecting an account creation attempt with an existing email, unless they use emails purely as communication channels

They can tell the user to await an e-mail from them with the confirmation link. Then if the e-mail address is already in use, send an e-mail saying, "somebody, probably you, tried to register as <new-username> on <site> but we have you down as <old-username> already". Otherwise, send a normal confirmation link.

[Nextgrid]

This is a very good idea I haven't thought about, thanks!

[Traubenfuchs]

Grindr saves on storage costs as much as they can. Messages are sent from the backend to a device only once. You can not read old conversations. You can not even see who this account has been talking to. They are only kept on the server until someone logs into the app again.

This also makes it very easy to lose conversations/content.

[withinboredom]

Social engineering trick: "Hey can you take our picture, my phone is dead, so can you just email it to me?"

[nickff]

It would be very easy to target a large group of individuals at a given organization.