Shulou(Shulou.com)05/31 Report--

Simply copy resetTokenrh to achieve Grindr account hijacking, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Aiming at the same-sex social application Grindr, its password reset function is tested, and it is found that its server has returned the password reset token resetToken improperly. By simply copying the resetToken and the user's registered email address, the password of other people's Grindr account can be reset in the way of URL link to realize complete account hijacking.

Social application Grindr

Sex, intimate relationships and online dating are all quite personal things. They are part of our lives, and many of us choose to keep them secret or share them with specific people. Grindr is the world's largest gay, bisexual, transgender and transgender social networking application, so its user base information is also extremely sensitive. Because through the user information of the APP, we can not only judge someone's sexual orientation, but also have serious ethical consequences if the information is leaked.

Vulnerability discovery background

A few days ago, a friend in the security circle on Twitter sent me a private message about his experience of reporting Grindr vulnerabilities. He said that he had reported a serious account hijacking vulnerability to Grindr. He had sent details of all the vulnerabilities to Grindr, but Grindr chose to turn a blind eye and a deaf ear.

There is nothing this friend can do. Find me and hope I can publish the loophole. He gave me the details of the vulnerability, from the surface of the vulnerability, the exploit is very simple, only a small skill to achieve account Grindr hijacking. Next, I wanted to run some confirmatory tests to save the hassle of registration and privacy security, so I went to my friend Scott Helme and asked him if he had a Grindr account.

Scott is also an excellent information security expert. A few years ago, we worked together to discover the security vulnerabilities that affect the global Nissan car bell wind LEAF. Minutes after my help message was sent, Scott signed up a Grindr account for me and bound it to test@scotthelme.co.uk.

Account hijacking verification

The vulnerability is caused by the password reset function of the following Grindr, which allows me to enter the registered mailbox number of the binding:

I typed test@scotthelme.co.uk, and after passing a CAPTCHA, I found the following server response:

As you can see from the image above, in the developer mode of Google browser, Grindr returns the password reset token resetToken with the account test@scotthelme.co.uk. In this way, I simply construct the resetToken and the bound mailbox into the following URL link:

Https://neo-account.grindr.com/v3/user/password/reset?resetToken=Isg6zl3q5fZsyAnAB8OCdnRgBSIYfpKkCO0O4pP1WLN0pwuClUqX24ImrLc6bb7T7DWSyFMG5lREHQmS4CsFR5uh8GEYQxF6Z6V5hsi3vSTuilXzgKRRItwdDIjmSWdq&email=test@scotthelme.co.uk

This is very easy for most people to construct, and when you visit the URL link in the browser, you will successfully jump out of the following password reset interface:

The password was changed successfully:

And can log in successfully:

APP login is required, all right:

Here we go:

In this way, a complete account hijacking is achieved, and I can access all the profile information of the Grindr account:

You can also receive private messages from this account:

I thought about this loophole when it was revealed that Grindr had leaked its HIV privacy data to a third party a few years ago. Finally, I successfully logged in to the Grindr netizen version of the account:

This is the most basic account hijacking loophole, you only need to know the bound mailbox of the target account. It makes me wonder why the Grindr server returns an inappropriate resetToken, and I'm surprised that the threshold for exploit is so low.

Contact Grindr

After that, I tried to contact Grindr on Twitter moments. Such a public tweet indirectly shows that there are network security problems in Grindr, hoping to attract attention. After that, I sent a private message with Grindr's official Twitter account:

But in the end, the information seems to have fallen into thin air. After that, I forwarded the vulnerability report directly in Twitter and asked my friends to forward it to each other. An hour and a half later, the service with the bug in Grindr went offline and was quickly fixed. After my way of contacting Grindr through my friends in the security circle, the response speed of Grindr is fast.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.