Johannesburg - An app security firm has found that popular dating app Tinder can be hacked, revealing who users liked and their photos in the app.
Tel Aviv-based research and app security solution company Checkmarx revealed in a white paper and YouTube video how it is possible for hackers to access a user’s Tinder app when sharing the same Wi-Fi network.
“Our research found two vulnerabilities that, once combined, enable a malicious attacker to spy on a Tinder user’s every move in the app. This means the attacker can see the user’s profile, the profiles the user views and the actions he or she takes (for example, swiping left/right and 'super liking'),” the research revealed.
Tinder traditionally works by allowing users to anonymously ‘like’ others, until they find a match by mutually swiping right.
The app requires users to sign in through Facebook or an independently created profile within the app.
Users can then swipe left for “No” or right for “Yes”. When a profile receives a Super Like, the recipient is notified through the app.
A match is made when two users swipe right; they can then privately message each other.
“The attacker can follow the user’s Tinder matches and seriously compromise the user’s privacy,” the company said.
Checkmarx said that Tinder lacks basic Hyper Text Transfer Protocol Secure (HTTPS) which provides secure communication over a computer network, allowing hackers access to people a user has liked and their photos on the app.
The company explained that standard HTTP is vulnerable to eavesdropping and content modification, introducing potential threats that might not be related to the app itself but to the underlying operating system and used libraries.
However, HTTPS increases security overall and nowadays mostly seems to be even faster than HTTP.
“The use of HTTP allows for the escalation of other types of attacks, such as the Response Size Predictability, shown in this paper. We highly recommend our readers to be mindful of the likelihood of such attacks on their privacy and to avoid public networks when possible, as these are highly vulnerable,” Checkmarx said.
To carry out the attack on a user's Tinder profile, the attacker needs to be on the same Wi-Fi network as the user, made possible via any public hotspot.
“Other scenarios where an attacker can intercept traffic include VPN or company administrators, DNS poisoning attacks or a malicious internet service provider - to name a few,” Checkmarx said.
To demonstrate an attack, Checkmarx produced a fully functional app called TinderDrift used to attack iOS and Android devices; the video of the attack was posted on YouTube.
“The team went through the responsible disclosure process, sending a full report to the Tinder security team and notifying them of our intention to publish our findings,” Checkmarx said.