Tinder Flaw Lets Anyone Snoop on Your Swipes

A troubling flaw in Tinder’s architecture could let a clever hacker spy on your swipes and likes — but Tinder doesn’t seem bothered enough by the problem to offer up a solution.

Credit: Rawpixel.com/ShutterstockCredit: Rawpixel.com/Shutterstock

Israeli security firm Checkmarx released a report on the subject, entitled “Are You on Tinder? Someone May Be Watching You Swipe.” The paper covers two distinct and potentially troubling flaws. The first takes advantage of unsecured Tinder protocols; the second can discern what happens behind secured connections with a little basic math.

MORE: Best Dating Apps

It’s important to note that it’s not possible to exploit either vulnerability unless a would-be attacker can monitor data on your Wi-Fi network. In other words, it’s only a threat on unsecured public Wi-Fi. (Or if someone has hacked into your Wi-Fi network, but if that’s the case, you have bigger problems.) Simply avoiding networks like that will save you from this flaw — and from a lot of other trouble, in general.

The first flaw, dubbed CVE-2018-6017, takes advantage of the fact that Tinder uses HTTP connections (which are not secured against man-in-the-middle snoopers) to display profile pictures. A savvy malefactor would simply have to monitor network traffic (this is trivial on a public Wi-Fi network), and he or she would be able to see which device is looking at which profiles.

The potential damage here admittedly seems limited. After all, it’s not that much of a threat to see that a person on an iPhone is looking at publicly available Tinder profiles. A potential cybercriminal could also use this to see your profile information, but again, he or she could do that just as easily by creating a fake account.

However, in conjunction with the second flaw, CVE-2018-6018, the first becomes a little more insidious. Although Tinder secures swipes and likes behind an HTTPS protocol, each action takes up a different amount of data. Rejections require 278 bytes, approvals require 374 bytes and likes require 581 bytes. By creating a program to concatenate data from the second flaw with data from the first, an attacker could discover which profiles you’re accepting and rejecting.

Checkmarx created a simple program called Tinderdrift to demonstrate the two flaws in action.

Tinder drift demo

Tinder doesn’t seem overly concerned about the bugs, although it may address them at some point in the future.

“We take the security and privacy of our users very seriously. We employ a network of tools and systems to protect the integrity of our global platform,” a Tinder representative told The Register. "That said, it’s important to note that Tinder is a free global platform, and the images that we serve are profile images, which are available to anyone swiping on the app.”

Indeed, it’s hard to imagine a truly catastrophic situation involving the leaked data. A person could find out who you’re accepting and rejecting, then accost you in a public place, but to what end? Perhaps a very, very savvy cybercriminal could accost and blackmail an unfaithful husband or wife trying to cheat, but again, using a fake profile is just as easy.

Still, privacy is privacy, and if you value yours, you probably shouldn’t use Tinder on a public Wi-Fi network. Then again, there’s not much you really should do on a public Wi-Fi network, so Tinder is no exception.

Create a new thread in the Antivirus / Security / Privacy forum about this subject
No comments yet
Comment from the forums
    Your comment