[Nextgrid]

> we believe we addressed the issue before it was exploited by any malicious parties

I wonder how they are sure of this.

In their logs, there would be no difference between a legitimate password reset and a malicious one, given that even a legitimate flow would result in an initial request from some IP address, then when the user receives the email with the reset link they will most likely click on that from the same computer, thus the same IP address showing up on the logs. In case of a malicious attempt the same pattern would be seen - there is no way for them to know whether the user obtained the reset token from the e-mail (as they should) or directly from the password reset endpoint itself.

[sebmellen]

$50 says they're not. This is something every organization has to say for PR reasons, but saying "we believe" is very fishy wording. It could well be this bug has been around for months before it was discovered, and used by many black/grey-hat hackers.

[sneak]

Governments. It was likely used by governments.

Bi men who live straight lives with a wife and family are ridiculously common. The ability to blackmail those people is extremely valuable to certain state organizations.

[anonymousiam]

I've never been gay or bi, and I've never used Grindr, but I have held government security clearances for almost 40 years. It's a lot different today than it was back then. Early on, I knew several people who had "experimented" in college, and they were denied clearances. (Actually the government never officially denied them because that would require an explanation of the criteria used for the denial. Instead, it was perpetually "pending".) Anyway, the basis for their denial was the potential for blackmail, which is a serious national security threat. Sometime within the past 25-30 years, they seem to have revised their policies so gay/bi people can get cleared, as long as they are open about it.

[sneak]

Foreign governments blackmailing US government staff is only one side of the equation. There is, of course, the whole "but what would the wife/churchfellows think?" issue, still, but there are still many countries that do not take the same enlightened view that the US does.

It's entirely possible that even the ability to verify that a particular email address has a Grindr account may be enough to threaten a person with imprisonment or death in several countries I can think of off the top of my head.

[thefreeman]

verifying that an email has an account is unfortunately always unavoidable. all you need to do is attempt to register with that email.

[lolc]

Fortunately it's easily avoidable: You defer checking address status until you send the mail out.

So when an email-address is entered to create an account, you always respond with "pending email verification". Then you send an email saying "Someone is registering an account with us using this address." And then, when the account already exists, you continue with "lol it already exists. If this was you, you can click to reset your password". If there is no account under that address, you send the "please click to verify" mail. At no point does this process expose the status of the address.

[codetrotter]

We could do better by letting the web UI say nothing about that and only in the email that we send we tell someone that they already have an account.

[fpig]

So were they denying clearances to openly gay people back in the old days? Because there wouldn’t be potential for blackmail in that case. Sorry I can’t tell what you’re saying changed about the policies.

[neltnerb]

Thirty years ago George Bush Senior was president, Reagan has recently left office, and the United States government was handling HIV poorly and intentionally so.

Sodomy laws were still on the books - can you keep a clearance while openly breaking the law every time you and your partner sleep together?

[fpig]

I don't know, that's why I asked since the original commenter seems to know, but his original comment doesn't really answer it as it basically says "they used to deny clearances to secretly gay people, and today they grant them to openly gay people".

[nestorD]

> gay/bi people can get cleared, as long as they are open about it

That's what I have been told is the current policy in France. As long as you cannot be blackmailed with it, it is good.

[Saint_Genet]

I have Swedish security clearance, and I was never even asked during the interview but I must assume the know since an even cursory glance at my social media would reveal I’m gay.

[kortilla]

It’s not really being bi that’s the problem here so much as cheating on a wife secretly

[chepaslaaa]

It's only cheating if you're breaking a rule to not sleep with other people. Swingers aren't cheating (assuming they're respecting any agreed upon boundary) when they're having an orgy for example.

A bi man with a wife and a family could very well be having sexual encounters with men once in a while with the agreement of his wife (who could well have her own stuff going on too) and it could be a very healthy thing in what is a fulfilling relationship for both parties.

[carlob]

You might be right morally, but in a lot of countries it is still the case that 'not having sex with other people' is a compulsory clause of the marriage contract. So legally it's a little bit murkier.

People have been advocating for marriage contracts that are a bit like the CC license, where you can pick the parts that you agree on.

[np_tedious]

Are bi guys that much more likely to do this than straight ones? I could believe 2x, but it doesn't seem like an order of magnitude kind of difference

[ohyeshedid]

It's more about them keeping it secret; secrets are some of the most valuable currency.

[rocqua]

It's not about cheating. It's about people other than your spouse learning you have sex with men.

This remains something quite a lot of people want to remain secret.

[on_and_off]

I wonder why you are getting downvoted so much. I don't know how common bi-men are (probably more than bi erasure makes us believe) but it feels like a least a portion of them are not ready to come out as bi.

[thaumasiotes]

> I don't know how common bi-men are (probably more than bi erasure makes us believe)

They're not that common. The literature shows a bimodal straight/gay distribution of homosexual tendency in men and a more Gaussian distribution in women.

[anchpop]

The "bi erasure" phenomenon is that if a man is bi, many will believe he's just gay but in denial. Because he may prefer to be seen as straight than gay, he may just let everyone think he's straight. This would reduce how many men appear to be bi in surveys.

[djaque]

Alternatively, I'm gay and even though I grew up in an area of the US which wasn't that homophoboic. I still hated myself for being gay enough that if I had an even slight attraction to women then I would have just killed off the male attraction side to me. If you're bi and grow up in a world where everything tells you that being gay is wrong, then that part of you that is attracted to guys will probably never get explored.

[mindfulhack]

It also may be because of what I observe as 'masculine thinking' vs. 'feminine thinking'. It appears to be drawn biologically from the genetic male sex and 'male brain' vs. genetic female sex and 'female brain'. Natural variations exist in all things, but if you look at what's most common, with biological sex differences (whch feed cultural 'stereotypes'), they still are what they are.

See Robert Green's book "The Laws of Human Nature" (2018) for his take on the following. It's very insightful. (Chapter entitled, "The Law of Gender Rigidity")

'Masculine thinking' prefers to categorise and bifurcate. (Dualism.) I'm a guy and I consider myself having a 'super' 'male' brain in some aspects even more than the average. I find it very hard to multi-task, and I easily hyperfocus.

Male thinking solves problems by breaking things down and focusing on one part of the picture at a time. It's about specialisation.

Female thinking treats things more as a whole, with everything connected. It solves problems by looking at the whole picture at once. It's about multi-tasking.

I now see that 'male thinking' (as opposed to males), such as 'specialisation', dominates modern capitalism and public policy, and often to detriment. Most females at top levels in business at this time in our culture would appear to mostly have this success because they are 'atypically' strong in 'masculine thinking'.

Personally, I think such leadership needs more female thinking. I'm slowly trying to understand it more, as my own starting point. Modern diversity policies that change what's on the outside (how many penises are around the table) don't actually solve the real problems. We're still picking what's taking place on the inside. We need diversity of things far deeper - to embrace and celebrate true 'feminine thinking' - not just what's on the surface.

So anyway, this could help explain why female sexuality is seen to be more 'fluid', on average, than among males. It's not so much how people actually are, as how people see themselves, because of how they tend to be wired. And this is not even factoring in that there is greater cultural stigma around a male being bi vs. a female being bi.

I am a male, and 100% bi.

[distant_hat]

The reason is that bi men round off to gay whereas bi women round off to straight. Bi women are even sought after by straight men so even women who aren't bi will sometimes claim to be, there is really no such equivalence to bi men. This will give the kind of distribution you are talking about especially when done by surveys as this kind of research often is.

[lwhi]

Literature?

Seriously?

Surely the way someone identifies public doesn't necessarily match with reality.

[learnstats2]

I'm not sure why being on Grindr is being seen here as a blackmail risk.

If you are visible on Grindr, you have made a kind of public testimony.

So, you have reduced your blackmail risk - since you're already at least somewhat prepared for this information to be public.

[neltnerb]

A lot of the information a user who owns an account can see is not visible to the public. I don't see why being on Grindr in 2020 would be a blackmail risk IN COUNTRIES WHERE BEING GAY IS LEGAL.

[learnstats2]

OK, but in that case you're at (potentially much) greater risk than blackmail.

Why is blackmail the risk that people on this page are going to, then, is my question. If you're willing to make a public statement then blackmail is lower risk, not higher risk.

[neltnerb]

I'm not sure, sorry. I'm not honestly sure why there's so much discussion about security clearances.

If someone gets your grindr account they can get your (a) address, (b) phone number, and (c) private photos, none of which would otherwise be public. So let's just get that out there. A reasonable user would not expect that any of those three things are readily available to a stranger that they've never talked to who merely has their email address. Especially if they turn off distances specifically to avoid triangulation attacks on their location.

Those pieces of information can be used together to harrass, commit violence, or threaten to leak your photos or personal (albeit sure, not "private") conversations. Those are the obvious ones, but other information in there can also hidden from public view, like HIV status.

With this bug a malicious person could knowingly target you based on email address instead of finding you and even putting the work into catfishing you into sending them embarrassing photos.

I'd say that's a higher blackmail risk but only because of the hack, a little. Catfishes still existed but this makes doing it invisible and massive in scale while associating it with a public ID like your email address.

[grayfaced]

I was disturbed by that statement as well. It's pure PR spin based on turning a blind eye.

They could detect mass malicious activity if a single IP was resetting thousands of accounts. But I'm skeptical they even checked based on the horrible initial flaw and specious response.

[rocqua]

saying they are working on the disclosure system is good especially because it seems unprompted.

[matt123456789]

It’s possible that the emailed link contains extra query params which are logged. Checking for the existence of these query params in requests would enable them to verify that reset requests to date were clicked from email rather than using this method.

[anchpop]

Also, the referrer header may be different too? Although it's likely nobody thought to log it.

[komarov_om]

I would expect a "Referer" value to be empty in both cases:

  - directly navigating to a URL after doing a copy-paste
  - opening a link from an email

[godelski]

Not saying they did, but couldn't you make an estimate by looking at frequency of resets by single accounts? If someone took over an active account presumably that person would reset the password to get back in (and have a weird email). ASSUMING Grindr logs the person out of the app when the password is reset.

You might also have a few emails from users...

[Nextgrid]

This would detect a large-scale attack, but wouldn't detect small-scale, targeted attacks as they would just get lost in the noise of legitimate password resets.

Furthermore, for dormant accounts (where the user is no longer using the app - potentially because they are now in a relationship) the user will not notice anything either, and the notification email is likely to get lost in the endless newsletter spam the non-technical majority has in their inbox.

[godelski]

I think this is a good point. I'll admit that I'm naive about web and security (not my area). Are multiple password resets within a small time frame common? I would not expect this to be common, but user behavior has often defied my expectation. If it is uncommon I think you could create a correlation and get an estimate, if it is common then I completely agree that it would be lost in the noise.

And yeah I agree that this type of analysis wouldn't help with dormant accounts and also does require them to log the user out on their phone (otherwise why issue another reset?). But both these could be captured. This is probably way too much analysis for such an attack and over engineering the issue, but hey that's what we all do, right? haha

[laurent92]

> Are multiple password resets common within a small timeframe?

Yes. When you reset your password once, probability is high to reset it many times. It is often because you don’t remember it, and the new one isn’t fixated in your memory. Or because I’ve changed devices, but my computer kept my old password, so I reset it too, and back and forth on each device until I have time to bring the two devices together and type in the same password. Basically password resets happen rarely, except when they happen, they happen in a salve.

That is the exact opposite scenario of when London hired statisticians during the Battle of England because they were surprised how all German bombs fell on specific buildings, and were wondering why Germans would target those, only to discover that randomness meant bombs would randomly fall in clusters for no reason at all.

[daniellarusso]

We see this with password email reset requests that have deliverability delays.

If the user does not receive the reset email within a few seconds, they submit more reset requests.

Also, there have been several Windows updates that cleared the saved password login info in the browser, and get a flurry of reset requests.

[godelski]

This makes a lot of sense about why my priors were wrong. Thanks! (always gotta check your priors)

[Nextgrid]

Increased volume of password resets would indeed suggest an attack, though it can also be explained by benign reasons (redesign of the app, marketing campaign prompting previous users to log back in, news exposure, the pandemic increasing loneliness and making more people use dating apps, etc).

However the biggest risk here is that small, targeted attacks distributed over time (where a single attacker only targets a handful of accounts) wouldn't stand out in the overall statistics.

In case of this incident, small-scale attacks (where a single person targets a single account of someone they don't like) are actually more likely which is why them saying they do not believe this was exploited while being completely unable to detect these attacks is so misleading and lures people into a false sense of security.

[rainbowzootsuit]

I've at times done a string of password resets when unusually designed sign up pages cause a password not to be captured by my password manager.

This seems to happen most when it's a multi page setup process. I often use a plain text scratchpad document to prevent the loss of data but sometimes circumstances happen.

I'm using LastPass for what it's worth. If anyone has better experiences with competitive products I'd be happy to hear about it.

[wlesieutre]

Since when do beliefs require evidence?

They don’t mention any, so this is the most positive sounding but still truthful position they can take.

Best I can think of is geolocating IPs of the reset requests and then seeing if the real owner (near original location) does a second reset later to take the account back, but that’s not convincing especially if you know where the account you’re targeting lives and went through a VPN in the same city to match.

[Nextgrid]

It's still pretty misleading.

They are supposed to be the experts (in the eyes of non-technical people) and if you don't have the skills to understand how the attack works it's reasonable (or at least used to be reasonable) to consider that the risk is minimal if "experts" do not believe it's bad.

This response lures their users into a false sense of security.

[Judgmentality]

> This response lures their users into a false sense of security.

That's the entire point of their response though. If all you ever had to do was tell people the truth, PR wouldn't be a thing.

[HenryBemis]

Logging IP address and have some AI/SIEM comparing IPs of regular/past use to IPs on-or-after a password reset can give 'some' level of comfort. E.g. if someone has extensive use from NY-USA IP address and the requests came from a Paris-FR IP address then 99% it is an attack and you block or send out email/SMS (just in case) or 1% that person's company guest WiFi surfaces in another country (e.g. mega-big insurance company in London has corp internet exiting in Chicago and guest network exiting in London).

In any case, it is better/safer to cause some slight inconvenience to prevent data leak.

[Ozzie_osman]

Well email tracking isn't perfect, but it can help a lot. A legitimate pattern you'd see an email open event, email click event, then successful reset in that order. An illegitimate one might have no email open or click before the reset, or clicks from multiple places or something like that. That could narrow down the list significantly.

Of course, not all email clients allow send these events.

[matusp]

They didn't say they are sure of it. They said they believe it :)