If your company is being actively targeted by nation states (and rest assured, Grindr is), you should have a serious security team where this sort of stuff shouldn't have seen the light of day.
I'm not exaggerating when I say this bug may have gotten people locked up, or been the lever for corporate/government espionage.
Hacking Grindr sounds like a lot of work. Why wouldn't gru@kremvax.ru just sign up, post a photo of her son and his classmates twerking at the pilot academy, enable tourist mode, and take a virtual trip to Los Alamos?
I don't mean to downplay the issue, but why would LGBT-hostile nation-states target Grindr's infrastructure when it's much easier to detect users at the network level based on TLS SNI (since encrypted SNI is still not a thing thanks to corporate influence)?
I'm sure a government could detect that a citizen visited grindr.com, but it'd be harder to guarantee that they actually had intent to commit "crimes" without access to unencrypted internal messages.
I'm also concerned about antagonist nation state that gets the personal emails of top officials at Department of Defense. Goes through a targeted list in an attempt to find out who's a member. And if a match found, then engage in a blackmail scheme for secret information.
> I'm sure a government could detect that a citizen visited grindr.com, but it'd be harder to guarantee that they actually had intent to commit "crimes" without access to unencrypted internal messages.
Why would that hypothetical government care about that? Just lock everyone up!
You're assuming the attackers are that sophisticated. With an attack this simple it could be exploited by a group of thugs a local police station (with maybe a "computer savvy friend") logging into local accounts to see if they can find anyone they recognize.
Blackmail wise, there is an even bigger difference. "I know you use grindr" vs "this is your last conversation on grindr". These have very different credibility and impact when leaked.
Honestly, I wouldn't be surprised if this was an intentional back door (...) that Grindr was required to create and let foreign authorities know about in exchange for being allowed to market the app in their country.
Assuming that's true, why would they publicly expose the back door as an anonymous API endpoint that's used in a standard flow within the product? Incompetence seems much more likely.
I'm not even sure that would constitute a "back door" - it's more of an "additional front door with no lock whatsoever".
I'm not exaggerating when I say this bug may have gotten people locked up, or been the lever for corporate/government espionage.