It's important to note that what a hacker could do through these flaws is relatively narrow, but it does allow a person to gain access to sensitive personal information. The issue is due to a lack of HTTPS encryption on photos; other elements of the app that do require this kind of encryption still leaked enough information to be able to monitor a user's actions.
In order to exploit these vulnerabilities, Checkmarx built a tool called TinderDrift. Once it was connected to the same network of someone using Tinder, the team was able to intercept images sent without HTTPS. Additionally, they used information about the size of data transmitted to monitor what a person was doing on Tinder and connect it to the unencrypted image: a swipe left is 278 bytes, while a swipe right is 341 bytes. "We can simulate exactly what the user sees on his or her screen," Erez Yalon, Checkmarx's manager of application security research, told Wired. "You know everything: What they're doing, what their sexual preferences are, a lot of information."
It may seem minor, but trusting sensitive personal information to apps that don't protect it properly is a problem that's just getting worse. We reached out to Tinder for comment, and the company confirmed that in-app images aren't encrypted, but it says it's "working towards" doing so. The full statement is below:
"We take the security and privacy of our users seriously. We employ a network of tools and systems to protect the integrity of our platform. That said, it's important to note that Tinder is a free global platform, and the images that we serve are profile images, which are available to anyone swiping on the app. Like every other technology company, we are constantly improving our defenses in the battle against malicious hackers. For example, our desktop and mobile web platforms already encrypt profile images, and we are working towards encrypting images on our app experience as well. However, we do not go into any further detail on the specific security tools we use or enhancements we may implement to avoid tipping off would-be hackers."