The popular Tinder dating app has been identified with two serious vulnerabilities. Security experts identified a dangerous Tinder bug that can expose the swipes and matches of users to strangers. According to the provided information the flaw has been identified in November last year, the issue has still not been resolved.
The Dangerous Tinder Bug Exposes The Users Data
The popular Tinder dating app has been found to contain a dangerous vulnerability that has remained unresolved for quite some time. Security researchers reported a dangerous Tinder bug that allows criminal users to expose private data from users connected to the same wireless network. The experts note that the vulnerability report was sent to the service in November in a private disclosure however since then no fix has been released to the public. To be more precise the actual Tinder bug consists of two separate flaws.
The first one is associated with the encryption process that takes places during the application execution. Every time a Tinder user interacts with the service their actions are sent to the servers and the results are then forwarded to their devices (phones or tablets) in a secure manner. A flaw in this process allows the criminals to gain information about the photos that they are viewing, in most cases those of the user that they are viewing or chatting with.
The second Tinder bug actually exposes the behavior patterns for certain actions through network leakage. This means that the app’s signals can be intercepted and read by hackers. Using automated scripts or manual analysis they can detect the users interactions of all types — swiping, messaging and other activities.
Hacker Abuse of The Tinder Bug
By abusing the found flaws the criminals can take over control of the Tinder users profiles, specifically their profile pictures. There are two main attack scenarios that are proposed by the experts. The first one can alter the profile image to a non-suitable one which breaches the service’s terms of use and also can scare away the found matches. The other consequence would be to change it to an advertising image for the promotion of rogue products or services.
The reason why the Tinder bug has been found is that the service has not fully implemented the HTTPS encryption protocol. It turns out that the swiping of user matches happens through an insecure HTTP connection. This means that the common traffic interception scenarios can be very useful when overtaking Tinder profiles. There are three distinct approaches that the hackers can use to abuse the service:
- Malware Infection — When the device users are infected with viruses that contain Trojan code. It can actively spy on the users actions and relay the network activity to the hacker operators.
- Man-in-the-middle Attacks — Using compromised network gateways and other equipment the attackers can retrieve the network traffic from the connected devices.
- Traffic Sniffing — The researchers note that one of the easiest ways to manipulate the target profiles is to have the targets connect to a public Wi-Fi networks. As the HTTPS encryption is not fully supported the hackers can directly manipulate the return commands. This is a very easy to use approach and suitable for locations like libraries, cafes and airports where a lot of Tinder users can be found.
A real-time proof-of-concept applications has been created by the researchers to demonstrate that the Tinder bug has remained unpatched. The users should expect a critical security patch and install it as soon as it is available. In the mean time they can protect themselves by avoiding public Wi-Fi networks.