Tinder, Bumble and Happn can reveal your messages and the profiles you've been viewing

Researchers say the exploits could lead to dating app users being identified, located, stalked and even blackmailed

Aatif Sulleyman
Tuesday 07 November 2017 11:09 EST
Comments

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Criminals can use shortcomings in popular dating apps, including Tinder, Bumble and Happn, to see users’ messages and find out which profiles they’ve been viewing, after gaining access via your device.

As well as having the potential to cause major embarrassment, the exploits could lead to dating app users being identified, located, stalked and even blackmailed.

The researchers, from Kaspersky Lab, studied the Android and iOS versions of Tinder, Bumble, Happn, OKCupid, Badoo, Mamba, Zoosk, WeChat and Paktor.

They said it was “fairly easy” to find out a user’s real name from their bio, as a number of dating apps allow you to add information about your job and education to your profile.

Using these details, the researchers managed to find users’ pages on various social media platforms, including Facebook and LinkedIn, as well as their full names and surnames, in 60 per cent of cases.

Some of the apps, such as Tinder, also let you link your profile to your Instagram page, which can make it even easier for someone to work out your real name.

As the researchers explain, tracking you down on social media can enable someone to gather much more information about you and circumvent common dating app restrictions.

“Some apps only allow users with premium (paid) accounts to send messages, while others prevent men from starting a conversation. These restrictions don’t usually apply on social media, and anyone can write to whomever they like.”

They also found that Tinder, Mamba, Zoosk, Happn, WeChat and Paktor users are “particularly susceptible” to an attack that lets people work out your precise location.

Dating apps tell you how far away another user, but precision varies between apps. They’re not supposed to reveal any exact locations, but the researchers were able to uncover them.

“Even though the application doesn’t show in which direction, the location can be learned by moving around the victim and recording data about the distance to them,” say the researchers.

“This method is quite laborious, though the services themselves simplify the task: an attacker can remain in one place, while feeding fake coordinates to a service, each time receiving data about the distance to the profile owner.”

Most worrying of all, the researchers were also able to access users’ messages, find out which profiles they’d viewed and even take over people’s accounts.

They managed to do this by intercepting data from the apps and stealing authentication tokens - mainly from Facebook - which often aren’t stored very securely.

“Using the generated Facebook token, you can get temporary authorization in the dating application, gaining full access to the account,” the researchers said. “In the case of Mamba, we even managed to get a password and login – they can be easily decrypted using a key stored in the app itself.

“Most of the apps in our study (Tinder, Bumble, OK Cupid, Badoo, Happn and Paktor) store the message history in the same folder as the token. As a result, once the attacker has obtained superuser rights, they will have access to correspondence.

“In addition, almost all the apps store photos of other users in the smartphone’s memory. This is because apps use standard methods to open web pages: the system caches photos that can be opened. With access to the cache folder, you can find out which profiles the user has viewed.”

The researchers, who have reported the exploits to the developers of the apps, say you can protect yourself by avoiding public Wi-Fi networks, especially if they aren’t protected by a password, and using a VPN.

They also recommend not adding your place of work to your dating profile.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in