Mobile hookup apps Grindr and Blendr appear to have security...

(http://xrl.us/bmt6bk) Thursday. The lawmakers referred to a Sydney Morning Herald article saying a hacker had breached Grindr accounts in Australia, logging in as another user and impersonating that person, and quoted a security expert who replicated the breach for the newspaper and said neither app has “real security.” Though Congress is most concerned with security of data such as financial account and Social Security numbers, “the failure by online services to secure chats, location information, photographs, and other information people would want to keep private also could lead to economic harms as well as reputational harms, so we believe such information should also be protected,” Waxman and Butterfield told Simkhai: “This incident raises questions about the steps your company takes to protect the privacy and security of your users’ information.” The lawmakers asked Simkhai to provide information so they can assess the apps’ security measures, and they are “not asking for, nor are we interested in, any personally identifiable information about your users.” They asked for the particulars of “any other breaches of any size,” including how users were notified and whether users were given “direct notice” of the Australia breach; security features in the apps that preceded “the latest updates”; whether the apps collect and transmit mobile device information beyond the device identification code, such as phone number or address book; and whether the device’s Unique Device Identifier (UDID) or Media Access Control address is part of the “hash” required for users to log in. Apple started phasing out developer access to UDID with iOS 5.0. Waxman and Butterfield asked Simkhai whether his companies had conducted assessments to evaluate security risks from relying on hashes to log in users or conducted a privacy impact assessment on their collection and use practices. The lawmakers said they were troubled that it took two weeks for Simkhai’s companies to release security updates for Grindr and three weeks for Blendr, when the expert quoted by the Morning Herald said security fixes “wouldn’t be too hard.” They asked Simkhai how the apps protected users’ information between the Jan. 20 breach and the Feb. 3 and 10 updates. Simkhai should respond by March 8, they said. In Feb. 10 blog posts, Grindr and Blendr portrayed the “mandatory” updates as multifaceted, not specific to security holes. Gay male-focused Grindr said the update included “crucial security enhancements, better compatibility, and improved performance for all users, plus two exciting new features exclusive to [paid] Xtra subscribers.” Straight and lesbian-focused Blendr said its update had “crucial security enhancements, along with improved performance and bug fixes.” In a Jan. 20 blog post, Grindr said the breach was caused by a site that violated its terms, that only a “small number of primarily Australian” users were affected, and that Grindr does not “retain chat history, credit card information, or addresses -- and no such information was ever compromised.” A similar post on the Blendr blog said media reports had “incorrectly associated Blendr with an incident on our other social networking application.” We couldn’t immediately reach Grindr or Blendr for comment.