Security researchers have discovered that the Tinder app might not be as private as one might have thought, as hackers have discovered a way to view photos users are perusing, including those all-important left and right swipes.
According to a report released by the app security company Checkmarx on Tuesday, vulnerabilities in Tinder’s encryption can allow hackers to spy on active Tinder accounts. The problem arises because Tinder doesn’t use HTTPS encryption on profile photos within its iOS and Android apps.
As Wired first reported, because Tinder doesn’t encrypt profile images on its app, a hacker can snoop around a user’s profile and see their profile images and the images of other users that they view while they are connected to an open Wi-Fi network, according to Checkmarx’s research.
A hacker might also be able to swap out images a user sees, insert ads, or insert malware disguised as an image. But images aren’t the only part of the data that is unencrypted, said Ashbel. A snoop could see when a chat is initiated — but the text in the chat is not exposed because it’s encrypted, he said.
In order to demonstrate an attack, the firm has created an app called TinderDrift. In a video on YouTube (below), one can see how such an app could be used to follow Tinder users‘ actions on Tinder if the person is sharing the same Wi-Fi.
The researchers have disclosed two flaws – CVE-2018-6017 and CVE-2018-6018 – in the app. The report says, “Our research found two vulnerabilities that, once combined, enable a malicious attacker to spy on a Tinder user’s every move in the app.”
This means hackers can see a user’s profile, profiles which the user views, as well as actions like swiping left or right, and more. The attacker can follow the user’s Tinder matches and seriously compromise the user’s privacy, the researchers noted.
Tinder does not disclose details about its security tools “to avoid tipping off would-be hackers,” a company spokesperson told Wired. But it said it takes the security and privacy of users seriously.
“Like every other technology company, we are constantly improving our defenses in the battle against malicious hackers,” the spokesperson said. “For example, our desktop and mobile web platforms already encrypt profile images, and we are working towards encrypting images on our app experience as well.”
Check out Checkmarx‘s video below.