Security researchers with AppSecure have disclosed a multi-part vulnerability that could have allowed a hacker to log into a Tinder account with just a phone number. Fortunately, the parties involved – Tinder and Facebook – were quick to address the flaws.
Tinder utilizes a service from Facebook called Account Kit that allows users to log into accounts using their mobile phone number or e-mail address. It’s billed as a reliable, easy-to-use option that gives people a choice about how they sign up for apps.
As AppSecure’s Anand Prakash highlights in a recent Medium post, AppSecure discovered that Tinder’s API was not checking the client ID on the token from Account Kit during login. Conveniently enough, Account Kit also had a bug in which an attacker could have gained access to any user’s Account Kit simply by using their phone number.
In tandem, these flaws could have let an attacker log into any Tinder account. With free rein over the account, the attacker could read private chats, access personal information, swipe left or right on matches and more.
Prakash said the vulnerabilities were quickly patched by both Facebook and Tinder. AppSecure even earned bug bounty rewards for its efforts - $5,000 from Facebook and $1,250 from Tinder.