Grindr, one of the world’s largest dating and social networking apps for gay, bi, trans, and queer people, reported a security vulnerability that allowed anyone to hijack and take control of any user’s account using only their email address.
Grindr’s password reset page was leaking password reset tokens to the browser, which meant anyone could trigger the password reset who had knowledge of a user’s registered email address, and collect the password reset token from the browser if they knew where to look.
Thus with that crafted link, the malicious user can reset the account owner’s password and gain access to their account and the personal data stored within, including account photos, messages, sexual orientation and HIV status and last test date.
Grindr addressed the issue and soon fixed it.
"id": "GRI235631222",
"linkid": "grindr",
"type": "Vulnerability",
"date": "10/2020",
"severity": "60",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"