Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Easy Tinder prank hack lets you play stupid cupid

Engineer details method for 45-minute romp arranging dates for unwitting mates

Software engineer Robert Heaton has detailed simple tricks to fondle your mates' Tinder and Facebook accounts over the festive season.

Friendship is a pre-requisite for the prank that requires cookies to be swiped off an unattended machine and reworked to be absorbed into the iOS Tinder app.

In a detailed post Heaton said Tinder accounts could be hijacked using a little security knowledge and a few minutes of unattended machine time.

"You have discovered that all you need is a little time with his laptop's Facebook session and you can bust into his Tinder account on your phone," Heaton said.

"You can use this small window of opportunity to throw his Facebook session from his laptop onto yours, then continue with the next phase right under his oblivious nose.

"His session is in his browser cookies. You get his Facebook.com cookies, you get his session."

The prank used the Chrome extension EditThisCookie to nab Facebook cookies stored in the Google browser which could then be emailed as JSON serialised cookies. This granted access to the target's Facebook account as long as it remained logged in.

"Steve comes back, enormous sandwich in hand. But it's too late. You're in."

Tinder cupids keen to defeat the attack should drop the sandwich, grab a copy of the Burp Suite web app security tool, install the SSL certificate on their phone and a proxy on their computer.

From there, Heaton advises punters to delete their iOS Facebook app and then use that social network to log in to Tinder in a feat described as "man-in-the-middling yourself".

This generated a HTTP GET request captured by Burp Suite. The URL was then copied into the browser previously logged into Facebook using the pinched cookie which would ask if the victim would like to authorise their Tinder account.

A HTTP POST request from that authentication would be then nabbed by Burp Suite which could be examined to prise open the encrypted authentication token.

That token could then using Burp Suite's intercept mode be inserted into the returning HTTP request from the Tinder-Facebook login attempt made on the iOS device, granting access to the victim's Tinder account.

"You did it. Tears of joy and relief streaming down your face, you change all of his photos to pictures of Gary Busey and start educating all of his matches about his deleterious personal hygiene."

Pranksters have up to 45 minutes to enjoy their festive furtive free-for-all before being promptly and inexplicably punted by Facebook and Tinder. ®

Similar topics

TIP US OFF

Send us news


Other stories you might like