A lack of security protections in Tinder's mobile app is leaving lonely hearts vulnerable to eavesdropping.
That's according to security biz Checkmarx this week, which claimed Android and iOS builds of the dating app fail to properly encrypt network traffic, meaning the basic actions of peeps looking to hookup – such as swipes on profiles – could be collected by anyone on the same Wi-Fi or carrying out similar snooping.
Checkmarx researchers disclosed two flaws (CVE-2018-6017, CVE-2018-6018) and a proof of concept (see video below) for an app that could sit on the wireless network of, say, an airport or hotel and observe actions including profile views, swipes, and likes.
As Tinder is, by nature, used in large gathering places like bars and cafes with free public Wi-Fi, the flaws would potentially be exposed for many, if not most, Tinder users.
The first issue, CVE-2018-6017, results from the Tinder's app's use of insecure HTTP connections to access profile pictures. By observing traffic on a public Wi-Fi network (or some other snooping position on a network), a miscreant could see what profiles are being viewed and match them with the victim's device. If a scumbag has compromised the network when the victim turns on the Tinder app, the victim's profile information could also be intercepted and viewed.
The second flaw, CVE-2018-6018, is what allows the attacker to see specific actions like swipes and likes. Though the Tinder API uses HTTPS connections for traffic it handles, the specific actions each move their encrypted packets with a set length.
By checking packets for specific byte sizes (278 bytes for a left swipe to reject, 374 bytes for a right swipe to approve, and 581 bytes for a like), the attacker could combine the actions with the unsecured HTTP profile and photo traffic to work out who is swiping who.
The recommendation for users is simple enough: avoid public Wi-Fi networks wherever possible. Developers, meanwhile, should take steps to make sure all app traffic is secured.
"The assumption that HTTP can be used in a sensitive application must be dropped," Checkmarx writes.
"Standard HTTP is vulnerable to eavesdropping and content modification, introducing potential threats that might not even be related to the app itself but the underlying operating system and/or used libraries."
A spokesperson for Tinder told us: "We take the security and privacy of our users seriously. We employ a network of tools and systems to protect the integrity of our platform. That said, it’s important to note that Tinder is a free global platform, and the images that we serve are profile images, which are available to anyone swiping on the app.
"Like every other technology company, we are constantly improving our defenses in the battle against malicious hackers. For example, our desktop and mobile web platforms already encrypt profile images, and we are working towards encrypting images on our app experience as well. However, we do not go into any further detail on the specific security tools we use or enhancements we may implement to avoid tipping off would-be hackers." ®