Tinder vulnerability lets criminals spy on your swipes

Researchers have found a major Tinder vulnerability which allows tracking every move on the app

The security researcher at Checkmarkx, Dafna Zahger, have found major Tinder dating site flaws which let strangers monitor your activity on the app^[1]. It includes tacking your swipes, accessing chats and re-changing pictures you see to commercial or erotic content.

In her analysis, D. Zahger points out the following:

If you always feel like someone’s watching you, and you have no privacy – chances are, you might be right.

It is worth mentioning that Tinder is one of the first swiping apps developed for dating. Users can swipe right if they find the other person attractive, left when they cannot feel the connection and up if they super like the person.

Tinder app system is quite simple: when the other person likes you back, there is a match, and you both can proceed to chat-messaging. This dating platform has already created more than 20 billion matches across 196 countries^[2].

Tinder flaw has affected both, iOS and Android apps

Unfortunately, but the vulnerability has been found in both, iOS and Android versions of the application^[3]. There is no Tinder spy app — the hacker merely needs to use the same network as the victim to monitor every user's step.

Additionally, Dafna Zahger says that attackers can hijack the account and perform the following malicious activity^[4]:

It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising or other type of malicious content.

Even though there is no direct financial harm, experts say that this Tinder flaw might be exploited in potential blackmail schemes since the manager of Checkmarx, Erez Yalon, confirms that an attacker can monitor everything:

You know everything: What they’re doing, what their sexual preferences are, a lot of information.

TinderDrift: A Tinder tracker app presented for research purposes

During the research, IT professionals have developed a Tinder spy app, also known as TinderDrift, to show its vulnerabilities. Despite the fact that an experienced hacker wouldn't need it, they say it was the easiest way to present the flaws.

This proof-of-concept software allows to see precisely what the victim's screen shows once it runs on the laptop connected to the same network^[5]:

We can simulate exactly what the user sees on his or her screen.

TinderDrift exploits HTTPS vulnerability on Tinder which actually is lack of encryption. The popular dating app transmits photos via unprotected HTTP. Likewise, it becomes relatively easy to hack into Tinder for anyone who is on the same network.