Just How Secure Is Your Grindr Account, Anyway?

New data breaches expose longstanding flaws in the ubiquitous app.

As Facebook finds itself under fire for allowing Cambridge Analytica to mine user information, Grindr, the world’s largest gay hookup app, is in the middle of a security breach scandal of its own.

Recent programming flaws exposed sensitive personal information belonging to the app’s more than 3 million daily users, including the location of those who opted to not share that information. (Grindr allows users to choose whether or not to share their location, a crucial option for members living in areas where homosexuality is illegal.)

Trever Faden first exposed the security flaws while creating C*ckblocked, a site that allowed visitors to find out who blocked them on Grindr, simply by entering their Grindr usernames and passwords. Once users logged into C*ckblocked, Faden was able use their passwords to access unread messages, email addresses, deleted photos, and location data not publicly available from profiles.

This isn’t the first time data breaches have plagued the app: A security flaw was exposed in 2014, by an anonymous tipster who messaged more than 100,000 users in 70 countries, warning them that their security, and possibly their lives, were in jeopardy. In some parts of the world, homophobic gangs have used what’s called a colluding trilateration attack to pinpoint a Grindr user’s exact location, and threaten, rob or even beat them.

In 2016, scientists at Kyoto University demonstrated how easy it was to discern a Grindr user’s location, even when that option was turned off.

Grindr told NBC News it was aware of the vulnerabilities C*ckblocked exposed and had closed the breach that allowed access. (Since the programming patch, C*ckblocked has shut down.)

“Grindr moved quickly to make changes to its platform to resolve this issue,” the company said in the statement. “Grindr reminds all users that they should never give away their username and password to any third parties claiming to provide a benefit, as they are not authorized by Grindr and could potentially have malicious intent.”

The company has not, however, changed how it sends location data over the Internet.

And there’s another concern: After Grindr founder Joel Simkhai sold the company to a Chinese conglomerate, Beijing Kunlun Tech, experts worry the Chinese government is culling personal information about Americans from their Grindr profiles.

According to former U.S. intelligence officer Peter Mattis, China routinely sweeps and stores “massive amounts of data” from both its own citizens and foreigner users.

“What you can see from Chinese intelligence practices is a clear effort to collect a lot of personal information on a lot of different people, and to build a database of names that’s potentially useful either for influence or for intelligence,” Mattis told The Washington Post.

Under Chinese law, the government can use a “public security” clause to demand private information from Chinese-owned companies. The definition of “public security” is flexible, and the government can use the clause at its discretion.

Bryan van Gorder usually writes about the places he's been or the famous people forced to talk to him.
@bvangorder