Sunday 20 January 2019

Tinder lets people see exactly who you swipe left or right on


Aatif Sulleyman

“Major” vulnerabilities in the Tinder app can let people see exactly who you match with and swipe left or right on.

If the security flaws are exploited, an attacker could gather enough sensitive information to blackmail you, cyber security researchers say.

What’s more, they could also alter the appearance of profile pictures you see, and even switch them for “malicious content”.

The vulnerabilities were uncovered by cyber security firm Checkmarx, which describes them as “disturbing”.

It discovered that the Tinder app lacks basic HTTPS encryption for profile pictures, allowing anyone using the same Wi-Fi network as you to see the same profiles you come across on the app.

Checkmarx also found that different actions within the app produce specific patterns of bytes that are recognisable even in encrypted form.

A left swipe is represented as 278 bytes, a right swipe is 374 bytes and a match shows up as 581 bytes, the researchers say.

“We can simulate exactly what the user sees on his or her screen. You know everything: what they’re doing, what their sexual preferences are, a lot of information,” Erez Yalon, Checkmarx’s manager of application security research, told Wired.

“It’s the combination of two simple vulnerabilities that create a major privacy issue.”

The researchers built an app, called Tinder Drift, which demonstrates just how much information an attacker could get their hands on, if they’re using the same Wi-Fi network as you.

“The vulnerabilities, found in both the app’s Android and iOS versions, allow an attacker using the same network as the user to monitor the user’s every move on the app,” the researchers wrote.

“It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising or other type of malicious content (as demonstrated in the research).

“While no credential theft and no immediate financial impact are involved in this process, an attacker targeting a vulnerable user can blackmail the victim, threatening to expose highly private information from the user’s Tinder profile and actions in the app.”

Checkmarx says it notified Tinder about its findings in November, but the company is yet to fix the issues.

The Independent has contacted Tinder for comment, and this article will be updated with its response.

Online Editors

Also in Business