Tinder app lacks the basic HTTPS encryption, meaning a malicious attacker could see the user’s photos or add their own photos in their photostream. Tel Aviv-based security research firm Checkmarx discovered two vulnerabilities in the dating app, which can be exploited by hackers to see users’ profiles as well as the profiles they’ve viewed. Do note that the attack requires the hacker to be on the same network as the user.
“The Checkmarx Security Research Team found disturbing vulnerabilities in a highly popular dating application used by people across the globe – Tinder,” reads a Checkmarx blog post. The reasearch firm created an app called TinderDrift to demonstrate vulnerabilities in the Tinder app. In a YouTube video, Checkmarx showcased that potential hackers can recreate users’ actions on Tinder, if they’re sharing the same WiFi network.
Sensitive information can be used by attackers to blackmail victims by threatening to expose private information from the user’s Tinder profile. Though swipes and matches remain encrypted on Tinder, hackers can track specific bytes to determine the user’s action like left swipe, right swipe, Super Like, a match, etc.
“The vulnerabilities, found in both the app’s Android and iOS versions, allow an attacker using the same network as the user to monitor the user’s every move on the app. It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising or other type of malicious content (as demonstrated in the research),” the post added.