Latest in Security

Image credit: AOL

Tinder flaws could expose your swipes to prying eyes

Apparently, photos on the app aren't encrypted with HTTPS.
126 Shares
Share
Tweet
Share
Save

Sponsored Links

AOL

Today, the security firm Checkmarx released troubling information about two vulnerabilities within Tinder, the popular dating app. The issues are present in both the iOS and Android app and allow a user on the same network to monitor what a person is doing on Tinder. Additionally, an attacker could control the pictures a user sees on Tinder; it's possible to swap them out for malicious content.

It's important to note that what a hacker could do through these flaws is relatively narrow, but it does allow a person to gain access to sensitive personal information. The issue is due to a lack of HTTPS encryption on photos; other elements of the app that do require this kind of encryption still leaked enough information to be able to monitor a user's actions.

In order to exploit these vulnerabilities, Checkmarx built a tool called TinderDrift. Once it was connected to the same network of someone using Tinder, the team was able to intercept images sent without HTTPS. Additionally, they used information about the size of data transmitted to monitor what a person was doing on Tinder and connect it to the unencrypted image: a swipe left is 278 bytes, while a swipe right is 341 bytes. "We can simulate exactly what the user sees on his or her screen," Erez Yalon, Checkmarx's manager of application security research, told Wired. "You know everything: What they're doing, what their sexual preferences are, a lot of information."

It may seem minor, but trusting sensitive personal information to apps that don't protect it properly is a problem that's just getting worse. We reached out to Tinder for comment, and the company confirmed that in-app images aren't encrypted, but it says it's "working towards" doing so. The full statement is below:

"We take the security and privacy of our users seriously. We employ a network of tools and systems to protect the integrity of our platform. That said, it's important to note that Tinder is a free global platform, and the images that we serve are profile images, which are available to anyone swiping on the app. Like every other technology company, we are constantly improving our defenses in the battle against malicious hackers. For example, our desktop and mobile web platforms already encrypt profile images, and we are working towards encrypting images on our app experience as well. However, we do not go into any further detail on the specific security tools we use or enhancements we may implement to avoid tipping off would-be hackers."

Via: Wired
Source: Checkmarx
In this article: https, security, tinder
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
126 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget’s guide to Home Entertainment

Engadget’s guide to Home Entertainment

View
Phonocut will let you make your own vinyl records

Phonocut will let you make your own vinyl records

View
Congress is asking vape manufacturers if they used social media bots

Congress is asking vape manufacturers if they used social media bots

View
Google teams up with Yubico to build a USB-C Titan Security Key

Google teams up with Yubico to build a USB-C Titan Security Key

View
Razer's Blade 15 Advanced gets an optical mechanical keyboard

Razer's Blade 15 Advanced gets an optical mechanical keyboard

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr