Tinder vulnerability lets criminals spy on your swipes

by Linas Kiguolis - - 2018-01-28

Researchers have found a major Tinder vulnerability which allows tracking every move on the app

Tinder spy app allows you to track every move on the application

The security researcher at Checkmarkx, Dafna Zahger, have found major Tinder dating site flaws which let strangers monitor your activity on the app^[1]. It includes tacking your swipes, accessing chats and re-changing pictures you see to commercial or erotic content.

In her analysis, D. Zahger points out the following:

If you always feel like someone’s watching you, and you have no privacy – chances are, you might be right.

It is worth mentioning that Tinder is one of the first swiping apps developed for dating. Users can swipe right if they find the other person attractive, left when they cannot feel the connection and up if they super like the person.

Tinder app system is quite simple: when the other person likes you back, there is a match, and you both can proceed to chat-messaging. This dating platform has already created more than 20 billion matches across 196 countries^[2].

Tinder flaw has affected both, iOS and Android apps

Unfortunately, but the vulnerability has been found in both, iOS and Android versions of the application^[3]. There is no Tinder spy app — the hacker merely needs to use the same network as the victim to monitor every user's step.

Additionally, Dafna Zahger says that attackers can hijack the account and perform the following malicious activity^[4]:

It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising or other type of malicious content.

Even though there is no direct financial harm, experts say that this Tinder flaw might be exploited in potential blackmail schemes since the manager of Checkmarx, Erez Yalon, confirms that an attacker can monitor everything:

You know everything: What they’re doing, what their sexual preferences are, a lot of information.

TinderDrift: A Tinder tracker app presented for research purposes

During the research, IT professionals have developed a Tinder spy app, also known as TinderDrift, to show its vulnerabilities. Despite the fact that an experienced hacker wouldn't need it, they say it was the easiest way to present the flaws.

This proof-of-concept software allows to see precisely what the victim's screen shows once it runs on the laptop connected to the same network^[5]:

We can simulate exactly what the user sees on his or her screen.

TinderDrift exploits HTTPS vulnerability on Tinder which actually is lack of encryption. The popular dating app transmits photos via unprotected HTTP. Likewise, it becomes relatively easy to hack into Tinder for anyone who is on the same network.

About the author

Linas Kiguolis - Expert in social media

Linas Kiguolis is one of News Editors and also the Social Media Manager of 2spyware project. He is an Applied Computer Science professional whose expertise in cyber security is a valuable addition to the team.

Contact Linas Kiguolis
About the company Esolutions

References

^ Shannon Liao. Hackers can see your Tinder photos and figure out your matches. The Verge. Technology, science, art, and culture.
^ Phoebe Weston. Your Tinder secrets could be EXPOSED: Massive security flaws in the app could let strangers hijack your photos, spy on your swipes and see pictures of all your matches. Daily Mail. Latest News.
^ Tara Seals. Tinder Flaws Let Stalkers Watch Your Every Move. Infosecurity Magazine. Information Security & IT Security News.
^ Dafna Zahger. Are You on Tinder? Someone May Be Watching You Swipe. Checkmarx. Application Security Testing and Static Code Analysis.
^ Andy Greenberg. Tinder's lack of encryption lets strangers spy on your swipes. Wired. Future Science, Culture & Technology News and Reviews.