Document Title: =============== Grindr 2.1.1 iOS Bug Bounty #2 - Denial of Service Software Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1418 Release Date: ============= 2015-05-02 Vulnerability Laboratory ID (VL-ID): ==================================== 1418 Common Vulnerability Scoring System: ==================================== 3.3 Product & Service Introduction: =============================== Grindr, which first launched in 2009, has exploded into the largest and most popular all-male location-based social network out there. With more than 5 million guys in 192 countries around the world -- and approximately 10,000 more new users downloading the app every day -- you’ll always find a new date, buddy, or friend on Grindr. Grindr is a simple app that uses your mobile device’s location-based services to show you the guys closest to you who are also on Grindr. How much of your info they see is entirely your call. (Copy of the Vendor Homepage: http://grindr.com/learn-more ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a local and remote denial of servie vulnerability in the official Grindr v2.1.1 iOS mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-01-22: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security) 2015-01-22: Vendor Notification (Grinder - Bug Bounty Program) 2015-02-02: Vendor Response/Feedback (Grinder - Bug Bounty Program) 2015-04-01: Vendor Fix/Patch (Grindr Developer Team - Reward: x & Manager: x) 2015-05-04: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Grindr LLC Product: Grinder - iOS Mobile Web Application (API) 2.2.1 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ A local and remote Denial of Service vulnerability has been discovered in the official Grindr v2.1.1 iOS mobile web-application. The attacker injects a script code tag or multiple termination strings (%00%20%00%20%00) to the Display Name input field of the Edit Profile module. After the inject the service stored the malicious values as DisplayName. After the inject a random user is processing to click in the profile the contact information (facebook/twitter). After that the victim wants to copy the link and an internal service corruption occurs thats crashs the mobile app. The issue is local and remote exploitable. Vulnerable Module(s): [+] Edit Profile Vulnerable Parameter(s): (Input) [+] Display Name Affected Module(s): [+] Contact > Social Network > Copy Link Proof of Concept (PoC): ======================= The denial of service web vulnerability can be exploited by remote attacker and local user accounts with low user interaction (click). To demonstrate the vulnerability or to reproduce the issue follow the provided information and steps below to continue. Manual steps to reproduce ... 1. Open the grindr mobile application 2. Inject a script code tag as Display Name or use the terminated String with empty values 3. Save and click in the profile the contact button (exp. facebook) 4. Click to the send button ahead and push the Copy Link function 5. The app service is getting terminated with an uncaught exception because of an internal parsing error Note:To exploit the issue remotly the profile needs to be shared with another user and then the user only needs to push the same way the social contact button. PoC Video: Solution - Fix & Patch: ======================= First step is to prevent the issue by a secure restriction of the input. Attach a own excpetion-handling to prevent next to the insert itself. The social network accounts that are linked do not allow special chars in the username. The grindr ios app and the android app allows to register an account and to insert own scripts or null strings that corrupts the process of copy the link by an error. After the restriction has been set in the code of both (api) the issue can not anymore execute to shutdown anothers users account. Even if this issue execution is prevented that was only a solution to prevent. To fix the bug ... Connect for example ios device with the running app to windows. Sync the process and reproduce the remote error and local error. Move to the iOS error folder that has been synced. Get the error attach another debugger and so on ... Security Risk: ============== The secuirty risk of the local and remote denial of service vulnerability in the copy link function that corrupts is estimated as medium. Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt