Tinder app can let people see who you match with and swipe left or right on

'You know everything: what they’re doing, what their sexual preferences are, a lot of information'

Aatif Sulleyman
Wednesday 24 January 2018 10:42 EST
Comments
Joel Balcita shows his homemade Tinder App costume at the West Hollywood Halloween Costume Carnaval, which attracts nearly 500,000 people annually, in West Hollywood, California October 31, 2015
Joel Balcita shows his homemade Tinder App costume at the West Hollywood Halloween Costume Carnaval, which attracts nearly 500,000 people annually, in West Hollywood, California October 31, 2015 (REUTERS/Jonathan Alcorn)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

“Major” vulnerabilities in the Tinder app can let people see exactly who you match with and swipe left or right on.

If the security flaws are exploited, an attacker could gather enough sensitive information to blackmail you, cyber security researchers say.

What’s more, they could also alter the appearance of profile pictures you see, and even switch them for “malicious content”.

The vulnerabilities were uncovered by cyber security firm Checkmarx, which describes them as “disturbing”.

It discovered that the Tinder app lacks basic HTTPS encryption for profile pictures, allowing anyone using the same Wi-Fi network as you to see the same profiles you come across on the app.

Checkmarx also found that different actions within the app produce specific patterns of bytes that are recognisable even in encrypted form.

A left swipe is represented as 278 bytes, a right swipe is 374 bytes and a match shows up as 581 bytes, the researchers say.

“We can simulate exactly what the user sees on his or her screen. You know everything: what they’re doing, what their sexual preferences are, a lot of information,” Erez Yalon, Checkmarx’s manager of application security research, told Wired.

“It’s the combination of two simple vulnerabilities that create a major privacy issue.”

The researchers built an app, called Tinder Drift, which demonstrates just how much information an attacker could get their hands on, if they’re using the same Wi-Fi network as you.

“The vulnerabilities, found in both the app’s Android and iOS versions, allow an attacker using the same network as the user to monitor the user’s every move on the app,” the researchers wrote.

“It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising or other type of malicious content (as demonstrated in the research).

“While no credential theft and no immediate financial impact are involved in this process, an attacker targeting a vulnerable user can blackmail the victim, threatening to expose highly private information from the user’s Tinder profile and actions in the app.”

Checkmarx says it notified Tinder about its findings in November, but the company is yet to fix the issues.

“We take the security and privacy of our users seriously,” a Tinder spokesperson told The Independent. ”We employ a network of tools and systems to protect the integrity of our platform.

“That said, it’s important to note that Tinder is a free global platform, and the images that we serve are profile images, which are available to anyone swiping on the app.

“Like every other technology company, we are constantly improving our defenses in the battle against malicious hackers. For example, our desktop and mobile web platforms already encrypt profile images, and we are working towards encrypting images on our app experience as well. However, we do not go into any further detail on the specific security tools we use or enhancements we may implement to avoid tipping off would be hackers.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in