According to a report by Anand Prakash from Appsecure, a specialised cybersecurity company, the company had discovered a vulnerability in the Tinder application that could let hackers have access to user accounts using just their phone numbers.
It has been reported that the flaw has since been patched by Tinder and Facebook, and there have been no reports of any previous exploitation of this flaw as yet.
The attack became possible by exploiting a vulnerability in the Account Kit service provided by Facebook, which is used to login into both the web and mobile application using phone numbers.
Prakash said that just by knowing the phone number the user uses to login with, the attacker would have been able to gain access to their account “within seconds” and would gain full access to the account, including personal chats, information, and interaction with other users.
He reported this flaw to Facebook and Tinder and it has since been fixed, earning him a bounty of $5,000 and $1,250 from Facebook and Tinder respectively through their bounty programs.
Anand Prakash has till now earned more than $350,000 as a full-time bounty hunter, finding out and notifying global companies about major security flaws.