An unknown hacker has been sending thousands of warning messages to Grindr users in countries that are known to be hostile towards LGBT people, informing them of a security flaw that could allow any government agency or tech savvy person to determine their exact real-time location.

The anonymous tipster claims to have used a secondary flaw to send messages to over 100,000 users in 70 countries with anti-gay laws, some of which make homosexuality punishable by death.

The hacker explains why he went public with the alleged security flaw:



I know officials at grindr have been informed several times within the past months about these issues, which would seem to imply that the concept of “social responsibility” is lost upon Grindr. While you may live in a country where using Grindr is no big deal, there are countries like Sudan and Yemen where anti-gay laws have been enacted with severe consequences[3], e.g. the death penalty. Knowing that Grindr-Users in countries such as these are being put unnecessarily at a high risk should be reason enough for Grindr to change its system. Even without the such a risk: Would you want it to be possible for someone to show on a map, exactly where you are to the point where they could tell if you were using Grindr in the bathroom or on the couch?

NDTV explains the problem in more detail:



While the app only shows users the distance between them and other users, specific location data can be extrapolated by querying Grindr’s servers from three different places and triangulating the information received. This process can also be automated using commonly available tools, and the resulting coordinates can be overlaid on a map. The flaw arises from the fact that anyone can query Grindr’s servers using standard JSON (JavaScript Object Notation) without needing to be authenticated. The server’s response will contain whatever information users have added to their profiles, potentially including a photo, text description, age, ethnicity, body type, time last seen online, and relationship status. Users can choose not to show their location to other users. If this flag is set, the JSON response will not contain location data. The YouTube link included in the anonymous messages and Twitter account leads to a video demonstrating the process in several parts of the world. With a single click, user profiles are displayed as pins on a map. The second security risk is that message senders can be spoofed, and users can be impersonated. The Pastebin dump contains specific instructions including details of Grindr’s messaging protocols and server addresses. This is how the unknown whistleblower has been sending out hundreds of thousands of messages.

Watch a video showing the alleged Grindr security flaw in action:



A Grindr spokesperson responded to the flaw with the following statement to The Gaily Grind:



We don’t view this as a security flaw. As part of the Grindr service, users rely on sharing location information with other users as core functionality of the application and Grindr users can control how this information is displayed. For Grindr users concerned about showing their proximity, we make it very easy for them to remove this option and we encourage them to disable ‘show distance’ in their privacy settings. As always, our user security is our top priority and we do our best to keep our Grindr community secure.

When we asked specifically about NDTV’s claims that users who allow their proximity data to be displayed can have their real-time GPS location exposed, Grindr did not have any additional comments.

We will keep you updated on any further developments.

[H/T: NewNowNext