Stolen passwords through Zoom, access to Obama’s Twitter account and - just last month - using Grindr with somebody else's account: hacking is becoming more and more prominent in our daily life. But, what about the good guys? The ethical hackers who report a flaw in your code? Here’s what we can learn from the Grindr data breach.
So, this was an awkward story. Grindr, a dating app for LGBTQ+, has fixed a massive security vulnerability which was found (and reported) by Wassime Bouimadaghene, a French security officer. What happened? Well, to reset a password, Grindr sends the user an email with a link that includes a reset token. If you click it, you can change your password. Pretty basic. But, the reset page was leaking password reset tokens to the browser! So anyone with a clever set of brains could just take the link, reset a password and enjoy the Grindr-account of somebody else.
Wassime turned out to be one of the good guys. He contacted Grindr and notified them about their security vulnerability. What happened next? Nothing really. They ignored him several (!) times. That’s why he contacted a fellow ethical hacker, who is also an online writer on security topics (Troy Hunt). He decided to write a blog about it. It was after this publication that Grindr finally reacted and patched the security vulnerability. So, what can we learn from this incident?
There are still lots of good (ethical) hackers! For example, security officers who look for security flaws at various companies. They do this as a hobby or for a living. If they find any vulnerabilities they will contact the company and explain the way they were able to enter the system, and provide solutions to stop others from doing the same. It’s quite common for them to charge for the results based on their detective work.
The awkward part of the Grindr-story is not only the security vulnerability by itself. The way they handled the incident could have been better, and directly with the hacker. Also, it wouldn’t have been published on a blog. So, if a person tells you that the security of your website should be improved, it’s best to investigate.
A security breach happens when the underlying security systems are bypassed, leading to unauthorized access to private information. For example, if a hacker ‘breaks in’, he or she will be able to access personal accounts, data and billing information. Possible security breaches can be malware (viruses), phishing, DDOS, password attacks and ransomware. If you’re aware or have been notified about a security breach, this is what you can do in chronical order:
And, in severe cases:
At Tilaa we take security very seriously, because we understand the worth of (personal) data. Therefore we are fully certified to store your data and the data of your customers onto our datacenter. Want to know more about the security measures we take? Have a look!