Tinder mobile app lacks security protections, leaving users vulnerable to eavesdropping, a report by security researchers claims. Researchers say the dating app is not using encryption to prevent hackers from snooping on users sharing the same network. Lack of basic HTTPS encryption essentially means that anyone can extract Tinder pictures and other data such as user swipes.
Tel Aviv-based security research firm Checkmarx found the vulnerability on Tinder's Android as well as iOS apps. In order to demonstrate an attack, the firm has created an app called TinderDrift. In a video on YouTube, we can see how such an app could be used to follow Tinder users' actions on Tinder if the person is sharing the same Wi-Fi.
The researchers have disclosed two flaws - CVE-2018-6017 and CVE-2018-6018 - in the app. The report says, "Our research found two vulnerabilities that, once combined, enable a malicious attacker to spy on a Tinder user's every move in the app." This means hackers can see a user's profile, profiles which the user views, as well as actions like swiping left or right, and more. The attacker can follow the user's Tinder matches and seriously compromise the user's privacy, the researchers noted.
Notably, in order to carry out an attack, hackers will have to be on the same Wi-Fi network as the user, the report claims. Since Tinder is an app usually used in public spaces, people are likely used to be accessing public Wi-Fi, leaving themselves potentially exposed. Additionally, other scenarios include VPN connection, DNS poisoning attacks, or malicious Internet service providers.
The report also claims that hackers can use user's private information to potentially swap the photos a user sees for inappropriate content or rogue advertising. It has recommended Tinder users to avoid public Wi-Fi networks wherever possible until developers take steps to make sure all app traffic is secured.