Online dating apps aren't as anonymous as you'd like to think (and it's largely your fault)

Shawn Knight

TechSpot Staff
Staff member

Security researchers with Kaspersky Lab have disclosed that a number of popular dating apps are vulnerable to a variety of attacks that can reveal personal user details including full names, the name of your employer and even your location.

In four of the top nine online dating apps investigated (Tinder, Bumble, OkCupid, Badoo, Mamba, Zoosk, Happn, WeChat and Paktor), researchers were able to determine a user’s true identity based on data provided in profiles. By knowing your employer, field of study or where you went to school, it was possible to find users’ social media accounts and thus learn real names.

Kaspersky says they could identify Happn and Paktor users on other social media sites 100 percent of the time. The success rate dropped to 60 percent and 50 percent for Tinder and Bumble, respectively, which is still quite significant.

Six of the nine aforementioned apps reveal some form of location data on users, such as the distance between you and a person you’re interested in. By moving around and logging data about the distance between two users, it’s “easy to determine the exact location” of the “prey.”

Happn seems to be the worst offender, revealing details like how many meters separate you from other users. The app even shows the number of times two people have crossed paths, making it even easier to track someone down.

Most of the apps Kaspersky looked into transfer data to a server over an SSL-encrypted channel but that’s not always the case. The analytics model used in the Android version of Mamba does not encrypt data about the mobile device being used while the iOS version transfers all data – including messages – in an unencrypted nature.

Tinder, Paktor, Bumble for Android and Badoo for iOS, meanwhile, upload photos via HTTP which can allow an attacker to determine which profiles a potential victim is browsing.

Worse yet, researchers found that five of the nine apps were vulnerable to man-in-the-middle attacks because they did not verify certificate authenticity. Almost all of the apps authorize through Facebook, meaning the lack of certificate verification can lead to the theft of a temporary authorization key (a token). This can give a criminal access to social media account data for up to three weeks or so, Kaspersky said.

Android users have even more to be worried about as eight of the nine apps studied provide “too much information to cybercriminals with superuser access rights.” This is largely only a concern for Android users as malware that gains root access in iOS is rare.

With such access, researchers were able to get authorization tokens for social media from almost every Android dating app tested. Credentials were encrypted although the decryption key was easily obtainable from the app itself. Apps like Tinder, Bumble, OkCupid, Badoo, Happn and Paktor all store message history and user photos with their tokens, thus hackers with superuser access can easily view such confidential information.

Kaspersky said it informed developers of its findings in advance, adding that some had already fixed issues and others were still working on corrections.

While some of these apps certainly need to step their security up, the biggest takeaway here is to simply be cognizant of the data that you’re volunteering on dating profiles. Should you want your dating profile to be somewhat anonymous, you need to be as vague as possible with regard to sharing details about yourself (save those for the first date, for example). If there’s one thing to realize in this post-Snowden era, it’s that the expectation of reasonable privacy shouldn’t really be expected. Anything you say or do that’s transmitted over the Internet can likely be traced back to you.

Permalink to story.

 

Kibaruk

TechSpot Paladin
Heck it's even easier, take one of the pictures a do a reverse image search, you don't have to be a rocket scientist for that one. Most probable than not, users have that same picture in one or more social media profiles. Once... I met someone and we exchanged numbers, through the whatsapp profile picture I was able to identify full name, where that person worked, and so on... after that I felt like a creep though...
 

Skidmarksdeluxe

TS Evangelist
Heck it's even easier, take one of the pictures a do a reverse image search, you don't have to be a rocket scientist for that one. Most probable than not, users have that same picture in one or more social media profiles. Once... I met someone and we exchanged numbers, through the whatsapp profile picture I was able to identify full name, where that person worked, and so on... after that I felt like a creep though...
Don't be. All that info you got from me was false intelligence anyway, designed to lead you astray. :D
 

Skidmarksdeluxe

TS Evangelist
Dating sites even existed back in my day but I always viewed them, and still do, as a half assed solution for desperado's, losers and even psycho's/stalkers. Oh well, whatever starts jerkin your gerkin.
 

wiyosaya

TS Evangelist
Dating sites even existed back in my day but I always viewed them, and still do, as a half assed solution for desperado's, losers and even psycho's/stalkers. Oh well, whatever starts jerkin your gerkin.
Thanks for your opinion.

I met my wife through a dating site, and we are far more compatible than anyone I could, or would have met in a bar. In fact, my wife was never part of the bar or club scene. We met over 16-years ago, and our relationship is getting deeper as time goes on. I cannot say that any of the people I know are anywhere near as compatible as we are. Coincidence or not, our compatibility is uncanny.

I credit the quality of our relationship to the fact that we both have done a lot of facing our own internal demons and befriending their strengths while discarding the darker aspects. I suspect that the reason many people are not as successful as we are is because those people have no clue as to their dark sides, and this is what really keeps them from forming deeper relationship bonds with others.

I met a few of those types in my journey, but I realized they were not what I was looking for and walked away, while some walked away from me. From my viewpoint, forming a deeper relationship requires more than booze, boobs, and a bed.

Back on topic, though, I disagree with the assessment that most of the revelation that goes on with these apps is primarily the responsibility of the users. When the apps lack basic security and reveal information like location details, I certainly fault the app much more so than I fault the user. While it is good advice to keep revealing details to a minimum, if the user should choose an app that is inherently insecure, I find it difficult to blame the user in any fashion other than the fact they might have done more research and found out beforehand that that particular app is something less than desirable.

As I see it, this is yet another symptom of product makers that jump on the latest fad with dreams of becoming billionaires and abandon any and all semblances of security. It in no way surprises me that dating apps are among the many insecure products presently available.
 
  • Like
Reactions: Skidmarksdeluxe

Skidmarksdeluxe

TS Evangelist
Thanks for your opinion.

I met my wife through a dating site, and we are far more compatible than anyone I could, or would have met in a bar. In fact, my wife was never part of the bar or club scene. We met over 16-years ago, and our relationship is getting deeper as time goes on. I cannot say that any of the people I know are anywhere near as compatible as we are. Coincidence or not, our compatibility is uncanny.

I credit the quality of our relationship to the fact that we both have done a lot of facing our own internal demons and befriending their strengths while discarding the darker aspects. I suspect that the reason many people are not as successful as we are is because those people have no clue as to their dark sides, and this is what really keeps them from forming deeper relationship bonds with others.

I met a few of those types in my journey, but I realized they were not what I was looking for and walked away, while some walked away from me. From my viewpoint, forming a deeper relationship requires more than booze, boobs, and a bed.

Back on topic, though, I disagree with the assessment that most of the revelation that goes on with these apps is primarily the responsibility of the users. When the apps lack basic security and reveal information like location details, I certainly fault the app much more so than I fault the user. While it is good advice to keep revealing details to a minimum, if the user should choose an app that is inherently insecure, I find it difficult to blame the user in any fashion other than the fact they might have done more research and found out beforehand that that particular app is something less than desirable.

As I see it, this is yet another symptom of product makers that jump on the latest fad with dreams of becoming billionaires and abandon any and all semblances of security. It in no way surprises me that dating apps are among the many insecure products presently available.
Kudos. I'm pleased it worked out for you.
 
  • Like
Reactions: wiyosaya