Latest in Security

Image credit:

Tinder flaws could expose your swipes to prying eyes

Apparently, photos on the app aren't encrypted with HTTPS.
Swapna Krishna, @skrishna
January 23, 2018
Share
Tweet
Share

Sponsored Links

AOL

Today, the security firm Checkmarx released troubling information about two vulnerabilities within Tinder, the popular dating app. The issues are present in both the iOS and Android app and allow a user on the same network to monitor what a person is doing on Tinder. Additionally, an attacker could control the pictures a user sees on Tinder; it's possible to swap them out for malicious content.

It's important to note that what a hacker could do through these flaws is relatively narrow, but it does allow a person to gain access to sensitive personal information. The issue is due to a lack of HTTPS encryption on photos; other elements of the app that do require this kind of encryption still leaked enough information to be able to monitor a user's actions.

In order to exploit these vulnerabilities, Checkmarx built a tool called TinderDrift. Once it was connected to the same network of someone using Tinder, the team was able to intercept images sent without HTTPS. Additionally, they used information about the size of data transmitted to monitor what a person was doing on Tinder and connect it to the unencrypted image: a swipe left is 278 bytes, while a swipe right is 341 bytes. "We can simulate exactly what the user sees on his or her screen," Erez Yalon, Checkmarx's manager of application security research, told Wired. "You know everything: What they're doing, what their sexual preferences are, a lot of information."

It may seem minor, but trusting sensitive personal information to apps that don't protect it properly is a problem that's just getting worse. We reached out to Tinder for comment, and the company confirmed that in-app images aren't encrypted, but it says it's "working towards" doing so. The full statement is below:

"We take the security and privacy of our users seriously. We employ a network of tools and systems to protect the integrity of our platform. That said, it's important to note that Tinder is a free global platform, and the images that we serve are profile images, which are available to anyone swiping on the app. Like every other technology company, we are constantly improving our defenses in the battle against malicious hackers. For example, our desktop and mobile web platforms already encrypt profile images, and we are working towards encrypting images on our app experience as well. However, we do not go into any further detail on the specific security tools we use or enhancements we may implement to avoid tipping off would-be hackers."

In this article: https, security, tinder
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

The 2020 Engadget Holiday Gift Guide

The 2020 Engadget Holiday Gift Guide

View
A copy of ‘Super Mario Bros. 3’ sold for $156,000

A copy of ‘Super Mario Bros. 3’ sold for $156,000

View
Beloved RPG 'The World Ends With You' will get a sequel, 14 years later

Beloved RPG 'The World Ends With You' will get a sequel, 14 years later

View
The Morning After: What you need for ray-tracing in 'Cyberpunk 2077'

The Morning After: What you need for ray-tracing in 'Cyberpunk 2077'

View
How to make sense of Logitech's universal remote lineup

How to make sense of Logitech's universal remote lineup

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr