Grindr Account System - Session Auth Bypass Vulnerability (Video)

Editorial_Staff_Team's picture

Grindr Account System - Session Auth Bypass Vulnerability (Video)

Due to the successful participation in the bc flex security program the core team discovers today a security video that demonstrates a session auth bypass vulnerability in the grindr account system. The vulnerability has been patched in april next to the end of the bug bounty competition. The issue is that due to the password change the app is allowed to request through the browser the service.

Attackers with a low privilege account can request via POST and intercept the request to get a valid token. After the token has been saved the attacker is able to change the email value. After changing the email value theattacker is able to get access to another users/administrator account. To exploit the bug the session needs to be tampered,the request needs to be intercepted, stoped to store the valid token. After the token is stored the attacker can use a mobile application tamper to inject the new email value. The fail was that the token is not connected to the session itself but the request requires only a valid token. In the password change module were the same problem occurs is no token available in the request that send you through the iOS safari browser to the account system.

Proof of Concept

The session token reset auth bypass issue can be exploited by local low privileged user accounts without user interaction.

Email Change PoC:
https://account.grindr.com/user/success?locale=de&redirect_url=grindr-account%3A%2F%2FemailChange%3FauthenticationToken%3D4ee64c484cdf03b640c8ce835af179b98b9a5872f6a56e85339b5ddbd1194d69%26email%3Dbkm%2540evolution-sec.com

https://account.grindr.com/user/success?locale=de&redirect_url=grindr-account%3A%2F%2FemailChange%3FauthenticationToken%3D4ee64c484cdf03b640c8ce835af179b98b9a5872f6a56e85339b5ddbd1194d69%26email%3Dadmin%2540evolution-sec.com

Password Change PoC: NO TOKEN REQUIRED!!!!
https://account.grindr.com/user/password?email=Bkm%40evolution-sec.com&locale=de&profileId=44889459
 

Grindr Bug Bounty Competition 2015 - Auth Bypass old email to email new

Advisory: http://www.vulnerability-lab.com/get_content.php?id=1419

 

Rate this article: 
Average: 5 (4 votes)

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.