Skip to main content

Watch Out for This Tinder, Facebook Hijack

It's the holiday season, which is a perfect time to catch up with friends and family. But some friends may use it as the opportunity to prank you — perhaps by hacking into your Tinder account using a prank developed by Robert Heaton, a software engineer at San Francisco online-payments processor Stripe.

Pranksters need direct access to your computer to do this — and with that kind of access, they could do a lot worse than simply changing your Tinder profile picture or claiming you like Twilight. But the real trick is that pranksters can still pull it off even if you're only away from the computer for a minute or two, using a method called cookie-tossing.

MORE: The Five Worst Security Fails of 2014

You're a potential pranking target if you: 1) don't lock your screen when you step away from your computer; 2) stay logged into Facebook (as many people do), 3) are logged into Facebook in the Chrome browser; and 4) have an active account on Tinder, a dating and hookup app that uses members' Facebook accounts.

Here's how the prank works: While you're away from the computer, your friend can hop onto your machine and download a Chrome extension called EditThisCookie. It lets him or her copy your Facebook login-session credentials, which are stored as cookies in Chrome. Pranksters then can email themselves the cookies, for reuse on their own computers. This is called a "cookie toss."

This takes only a few minutes; once it's accomplished, pranksters can troll your Facebook and Tinder accounts for the next hour or so (the cookies will eventually "time out").

Tinder is a mobile app and can't be accessed directly from a computer, even with the Facebook cookies. So the next step is to parlay that Facebook access onto a smartphone.

This process is a bit hairier, but it boils down to a prankster deleting the Facebook app from his or her own smartphone, signing out of their own Tinder account (or downloading Tinder otherwise), opening Facebook via the phone's mobile browser and finally setting themselves up as a "man-in-the-middle" between your Facebook and Tinder accounts.

Pranksters can then access your Tinder account on that smartphone, at least until you log out of Facebook and the tossed session cookies expire. Until then, pranksters can do just about anything, from changing your Tinder profile picture to setting you up on all kinds of weird dates.

The full blow-by-blow explanation is on Heaton's blog. Happy holidays, everyone!

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She previously worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation.