Researchers have found that Tinder, one of the world’s most popular dating apps, isn’t as private as one might expect. Thanks to the lack of basic encryption for photos, a person on the same Wi-Fi network could see the same pictures as a user and even add their own images to the stream.
As reported by Wired, researchers from Tel Aviv-based app security firm Checkmarx showed that by not using HTTPS for photos, users were vulnerable to snooping. Additionally, parts of the app that do use this type of encryption leaked enough information to allow hackers to monitor a person's actions.
To demonstrate how these vulnerabilities could be exploited, Checkmarx built a piece of software dubbed TinderDrift, which let them intercept the non-HTTPS encrypted photos.
The researchers could also recognize what a person was doing in the app through patterns of bytes, even when these actions were encrypted. Swiping left, for instance, is 278 bytes, while swiping right is 374 bytes. 581 bytes represents a match.
The combination of the two vulnerabilities means TinderDrift can show what photos are approved, rejected, or matched in real time.
“We can simulate exactly what the user sees on his or her screen," said Erez Yalon, Checkmarx's manager of application security research. "You know everything: What they're doing, what their sexual preferences are, a lot of information."
While the issue may not be as bad as some other vulnerabilities, it could lead to blackmail schemes against users.
Tinder confirmed it doesn’t encrypt in-app images but is working toward this goal.
We take the security and privacy of our users seriously. We employ a network of tools and systems to protect the integrity of our platform. That said, it's important to note that Tinder is a free global platform, and the images that we serve are profile images, which are available to anyone swiping on the app. Like every other technology company, we are constantly improving our defenses in the battle against malicious hackers. For example, our desktop and mobile web platforms already encrypt profile images, and we are working towards encrypting images on our app experience as well. However, we do not go into any further detail on the specific security tools we use or enhancements we may implement to avoid tipping off would-be hackers.