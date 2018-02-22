Hackers could take over Tinder account with just one phone number. Hackers could take over Tinder account with just one phone number.

Tinder accounts could be vulnerable to risks from hackers thanks to just one mobile number, according to revelations made by cyber security company AppSecure. The company has also informed Tinder and Facebook about the problem. Both engineering teams have plugged the issue, according to AppSecure’s Medium blogpost. The exploit takes places due to vulnerability in Account Kit by Facebook and the dating app’s own implementation of the login process which relies on this. Tinder asks users to sync their Facebook account to access the dating app.

According to AppSecure, the account takeover vulnerability in Tinder ensures that an attacker can gain access to the dating app account with any phone number, which is used to login. The security firm points out that in Tinder’s case the option for mobile number-based login is provided by Facebook’s Account Kit, which had a vulnerability.

For context, Account Kit from Facebook will let users quickly register, and log into the registered app with their phone number or email addresses without requiring a password. It can be used for different services. The vulnerability on Account Kit would have allowed the hacker to enter Account Kit via any phone number and once in, they could also access the user’s access token for the account, which is present in cookies, points out the firm.

Once the attacker has access to this token, they could then use the same to enter the user’s Tinder account, says AppSecure. The attacker could enter just anyone’s phone number and then simply get access to the Tinder app of the victim as the dating app was not verifying or mapping the account token to the right client account. The post also says that once the attacker is in they could then read private chats, full personal information, swipe other user profiles left or right, etc on Tinder. AppSecure says Facebook rewarded $5000 for the security vulnerability and Tinder rewarded with $1250.

