Criminals can spy on your Tinder swipes

World’s most popular online dating app Tinder has a massive security flaw. It lacks standard encryption which would make your photos, swipes, and matches private. Therefore, anyone who has minimal programming skills and is connected to the same Wi-Fi as you are can spy who have swiped right or left.[1] Therefore, if you are looking for love or a company for the Friday night, you should think twice if connecting to the café’s Wi-Fi is a good idea. You cannot be sure if the hipster sitting in the corner is not too curious about your preferences and plans on Tinder.

Cyber criminals can spy on your Tinder swipes to the left or right.

App security company Checkmarx[2] discovered two flaws in Tinder’s HTTPs encryption that allows attackers to see and modify your pictures and see who you swiped left or right. Why would they do that? For example, they might change your profile picture or even include malicious content.[5]

Access to the personal information and ability to get in the middle of your activities on the app might be a threat to your privacy. The reported issue was discovered in both Android and iOS app versions.

Tinder vulnerability No 1.: Getting access to your pictures

Checkmarx discovered that Tinder lacks basic HTTPs encryption that allows third-party access to photos. Attackers who use the same Wi-Fi network can get access to user’s photos, replace them, and inject their content into the stream. However, they can not only increase their chances to get your swipe to the right but include malicious content too.

Tinder vulnerability No. 2. Anyone can see your swipes

Researchers tell that other data in the app has HTTPS encryption. However, it’s not that good. Third-parties can still see whether you swiped right or left. It means that third-parties are aware of your preferences and other personal information. Hence, they can easily blackmail users or threaten to leak personal information.

Analysis of the app flaws

The company created a TinderDrift – a proof-of-concept software which allowed to step into Tinder user’s swiping or chatting sessions using a laptop connected to the same Wi-Fi. Researchers used a couple of tricks that helped to pull information from Tinder’s encrypted data.

Nevertheless, the app has HTTPS encryption; it still transmits photos via unprotected HTTP. For this reason, third-parties can step in the middle quite easily when the pictures are transmitted to or from the smartphone.

Furthermore, each action on the app, such as swiping to the left or right, has a specific pattern of bytes. However, TinderDrift is capable interfere them and swipe on behalf of the user. However, chances that someone is willing to match with you and start the conversation are rare. Such activities are more likely to lead to blackmailing and privacy issues.

The only bright side of the Tinder vulnerability is that your conversations are safe. The detected flaws cannot be used for reading messages.

Tinder know about the issue since November

Checkmarx reported about the detected vulnerabilities in November. However, the problem still remains. According to the Tinder spokesperson’s statement to WIRED,[3] the web version of Tinder is encrypted with HTTPS. However, the company is planning to improve the security and protection level, but they are not revealing any specific details:

However, we do not go into any further detail on the specific security tools we use, or enhancements we may implement to avoid tipping off would be hackers.” [Source: Wired]

Researchers tell that encrypting photos is not enough to ensure privacy protection for the users. It’s also important to secure other commands in the app. Meanwhile, Tinder users should have in mind that looking for a hot date using public Wi-Fi,[4] someone might be watching your choices.