An Israeli security firm Checkmarx has found two critical vulnerabilities in the popular dating app Tinder that enable hackers to keep a hawk eye on all your moves.
The firm has released a report entitled “Are You on Tinder? Someone May Be Watching You Swipe.” It covers two distinct and potentially troubling flaws. One of them is about the unsecured Tinder protocols; the app lets anyone connected to the same WiFi as you to potentially snoop in your Tinder photos and also see the matches that you might have made.
The first flaw which is known as CVE-2018-6017 takes advantage of the fact that the app does not use secure HTTP connections to display the profile pictures of the users. A hacker would easily be able to monitor network traffic, and through that, they can easily peek which device is looking at which profiles.
Erez Yalon, Checkmarx’s manager of application security research, “We can simulate exactly what the user sees on his or her screen. You know everything: What they’re doing, what their sexual preferences are, a lot of information.”
The second flaw, which is dubbed as CVE-2018-6018, the App has swipes and likes behind an HTTPS protocol, and for each of these actions, different amount of data is required. Rejections require 278 bytes, approvals require 374 bytes and likes require 581 bytes. Through a code to calculate data from the second flaw and combining it with the first, an attacker could easily discover which profiles you’re accepting and rejecting.
The security firm created a simple program called Tinderdrift to demonstrate the two vulnerabilities in the dating app.
“We take the security and privacy of our users very seriously. We employ a network of tools and systems to protect the integrity of our global platform,” a Tinder representative. "That said, it’s important to note that Tinder is a free global platform, and the images that we serve are profile images, which are available to anyone swiping on the app.”
However, in response to these flaws the company issued a statement which reads, “We are working towards encrypting images on our app experience as well. However, we do not go into any further detail on the specific security tools we use, or enhancements we may implement to avoid tipping off would be hackers.”
The firm has released a report entitled “Are You on Tinder? Someone May Be Watching You Swipe.” It covers two distinct and potentially troubling flaws. One of them is about the unsecured Tinder protocols; the app lets anyone connected to the same WiFi as you to potentially snoop in your Tinder photos and also see the matches that you might have made.
The first flaw which is known as CVE-2018-6017 takes advantage of the fact that the app does not use secure HTTP connections to display the profile pictures of the users. A hacker would easily be able to monitor network traffic, and through that, they can easily peek which device is looking at which profiles.
Erez Yalon, Checkmarx’s manager of application security research, “We can simulate exactly what the user sees on his or her screen. You know everything: What they’re doing, what their sexual preferences are, a lot of information.”
The second flaw, which is dubbed as CVE-2018-6018, the App has swipes and likes behind an HTTPS protocol, and for each of these actions, different amount of data is required. Rejections require 278 bytes, approvals require 374 bytes and likes require 581 bytes. Through a code to calculate data from the second flaw and combining it with the first, an attacker could easily discover which profiles you’re accepting and rejecting.
The security firm created a simple program called Tinderdrift to demonstrate the two vulnerabilities in the dating app.
“We take the security and privacy of our users very seriously. We employ a network of tools and systems to protect the integrity of our global platform,” a Tinder representative. "That said, it’s important to note that Tinder is a free global platform, and the images that we serve are profile images, which are available to anyone swiping on the app.”
However, in response to these flaws the company issued a statement which reads, “We are working towards encrypting images on our app experience as well. However, we do not go into any further detail on the specific security tools we use, or enhancements we may implement to avoid tipping off would be hackers.”