The Checkmarx Security Research Team found disturbing vulnerabilities in a highly popular dating application used by people across the globe – Tinder. The report features how a malicious attacker can take advantage of these vulnerabilities to cause serious privacy breaches to an unsuspecting user.
Are you a Tinder user? After undergoing the responsible disclosure procedure with Tinder’s security team, Checkmarx’s Security Research Team released their research describing two major Tinder vulnerabilities.
The Tel Aviv-based app security firm demonstrated that Tinder still lacks basic HTTPS encryption for photos. Just by being on the same Wi-Fi network as any user of Tinder’s iOS or Android app, the researchers could see any photo the user did, or even inject their own images into his or her photo stream. And while other data in Tinder’s apps are HTTPS-encrypted, Checkmarx found that they still leaked enough information to tell encrypted commands apart, allowing a hacker on the same network to watch every swipe left, swipe right, or match on the target’s phone nearly as easily as if they were looking over the target’s shoulder. The researchers suggest that lack of protection could enable anything from simple voyeuristic nosiness to blackmail schemes.
“We can simulate exactly what the user sees on his or her screen,” says Erez Yalon, Checkmarx’s manager of application security research. “You know everything: What they’re doing, what their sexual preferences are, a lot of information.”
Launched in 2012, Tinder is one of the first “swiping apps” allowing users to swipe through profiles to ultimately make social connections; swiping right for a profile they like, swiping left to move on to the next profile indicating lack of interest or “super liking” with an upward swipe. The application is most commonly used as a dating platform, having matched over 20 billion people to date and used in 196 countries.
The vulnerabilities, found in both the app’s Android and iOS versions, allow an attacker using the same network as the user to monitor the user’s every move on the app. It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising or other type of malicious content (as demonstrated in the research).
While no credential theft and no immediate financial impact are involved in this process, an attacker targeting a vulnerable user can blackmail the victim, threatening to expose highly private information from the user’s Tinder profile and actions in the app.
The research also raises an important question, how accustomed have we grown to lack of privacy? It seems that with all the large-scale attacks on our privacy, people are aware that every app they open is potentially a privacy risk. Can a highly popular matching app such as Tinder look the other way when such vulnerabilities are exposed? Should app makers publicize every single vulnerability or, with an overwhelming amount of “hacking” going on, is it OK to occasionally look the other way?