A Site Called C*ckblocked Exposed Grindr's Life-Threatening Security Flaws
Anyone could access a user's location, whether they opt out of location services or not.
BY CHRIS THOMAS
In a series of unfortunate events that could only happen in the strange Upside Down we’re living in, a new website called C*ckblocked helped expose two major security flaws on the Grindr hookup app.
C*ckblocked allowed users to enter their Grindr login info and see a list of every user who has ever blocked them, which undoubtedly sent a legion of therapists into a stress sweat. After setting up the site, founder Trever Faden, who also acts as CEO of the property management startup Atlas Lane, realized that he had access to a treasure trove of data on Grindr users — including unread messages, email addresses, and deleted photos.
This is obviously bad but far more dangerous was the full access to the location of users, regardless of whether they opt out of location sharing. According to cybersecurity experts, these issues have exposed the information of the nearly 3 million daily users of the app. “One could, without too much difficulty or even a huge amount of technological skill, easily pinpoint a user's exact location," Faden explained.
Another major security flaw he found went beyond location sharing and could realistically put Grindr users’ lives in danger. For the app to work, users have to send location data to their servers and some of that information isn’t encoded. That means anyone browsing through internet traffic could identify the location of anyone who opens the app. In countries where homosexuality is illegal and governments watch over public Wifi data, this could be a death sentence.
In a statement issued to NBC News, Grindr said “it was aware of the vulnerabilities that Faden had found and had changed its system to prevent access to data regarding blocked accounts.”
They continued, “Grindr moved quickly to make changes to its platform to resolve this issue,” the company said in the statement. “Grindr reminds all users that they should never give away their username and password to any third parties claiming to provide a benefit, as they are not authorized by Grindr and could potentially have malicious intent.”
Cooper Quintin, a security researcher at the Electronic Frontier Foundation, reviewed Faden’s findings and confirmed the flaws.
“There are a million reasons why you might not want someone to find your location through Grindr, and Grindr is dealing with that as a non-issue,” Quintin said. “They’re putting people’s lives at risk by doing that.”