Tinder flaw exposes user swipe, match and photos to strangers

Tinder is an online dating app that was launched in 2012 and allows members to swipe through profiles to make social connections. However, according to security experts from, Checkmarx, a Tel Aviv based security company, Tinder has two critical security flaws that expose every swipe and match of yours to strangers including cybercriminals who are using the same wireless network. The flaws were identified in November last year and Tinder was informed about them at that time but a fix is yet to be released.

Tinder flaw exposes user swipe, match and photos to strangers

The first flaw is associated with the encryption process surrounding images category; it lets hackers get information about the photos you have been checking out. The other flaw can expose the data patterns for certain actions such as swiping right or left; through understanding these patterns, hackers can easily comprehend your intentions. It must be noted that Tinder is a highly popular dating service having matched over 20 billion people to date and used in 196 countries.

Checkmarx researchers opine that a hacker can easily take control of profile pictures and then swipe them for unsuitable content as well as perform rogue advertising. The reason why the service is facing issue is that it is yet to implement HTTPS encryption. The app allows swiping of pictures over unsecured HTTP, which makes it easy to be intercepted by a person using the same Wi-Fi network.

However, using HTTPS would mean that no third party can read the messages. Since Tinder’s swipe feature lacks HTTPS protection, therefore, the messages get exposed to others. It can lead to dire consequences such as by gaining information about the sexual preferences of a user a hacker can blackmail him/her and threaten to make such sensitive information public.

According to Erez Yalon, Checkmarx’s manager of application security research: “We can simulate exactly what the user sees on his or her screen. You know everything: What they’re doing, what their sexual preferences are, a lot of information.”

Moreover, unprotected HTTP allows attackers to obtain data from Tinder through identifying byte patterns for various actions. Such as, left swipe represents 278 bytes while right swipe represents 374 bytes and a match is found at 581 bytes. By recognizing data patterns, hackers can perform all sorts of actions or interrupt an on-going action. For instance, they can inject their own picture into photo stream of another user. They can monitor all your actions on Tinder and can record them as well. Whoever you like or plan to chat with will be known to them, which is indeed disturbing.

The two flaws collectively produce grave privacy issue for Tinder users. In their official blog post, researchers noted: “The answers will ultimately determine the amount of effort companies such as Tinder, EA games, and even Uber put into ensuring their apps are released vulnerability free (or as close to that as humanly possible.”

Researchers also recommended that app makers need to implement reliable and up-to-date security testing methods in order to safeguard user data and privacy. On the other hand, they urge users to use such services cautiously and never use them on public wi-fi networks.

The proof-of-concept software to demonstrate Tinder’s vulnerabilities was also built by Checkmarx researchers, which has been dubbed as TinderDrift. When it is run on a laptop, which is connected to any wireless network, it will automatically recreate the entire session and categorize the photos as approved, matched and rejected in real-time.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.