Security researchers have discovered two disturbing vulnerabilities in Tinder's popular dating app that could let malicious attackers spy on your photos, swipes and matches. Researchers at Tel Aviv-based security firm Checkmarx found that Tinder's iOS and Android mobile apps still lack the standard HTTPS encryption.
This means anyone connected to the same public Wi-Fi network as the Tinder user can potentially see their photos, explore their profile and even add or alter images.
"It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising or other type of malicious content," Checkmarx said in a report.
By carefully analysing the predictable HTTPS response size, researchers also found it is possible for an attacker to decode encryption signatures and figure out a Tinder user's every move on the app.
The Tinder API uses HTTPS connections and sends encrypted packers from the server based on each action made by the user such as swiping right on a profile they liked, swiping left on one they passed up on or "super liking" with an upward swipe. However, researchers found that these encrypted responses have a set length making it easier for an observant attacker to decipher what action a user has taken.
"User responses should not be predictable," researchers warned. "If the responses were padded to a fixed size, it would be impossible to differentiate between them. Otherwise, even those encrypted, the responses contain valuable information."
By exploiting both these flaws, an attacker located in a public space with open Wi-Fi such as an airport or cafe could potentially analyse and collect sensitive information about any Tinder user connected to the same network and follow how they are using it in real time.
However, the messages and photos sent between users after a match would still remain private.
"While no credential theft and no immediate financial impact are involved in this process, an attacker targeting a vulnerable user can blackmail the victim, threatening to expose highly private information from the user's Tinder profile and actions in the app," Checkmarx said.
The security firm built a proof-of-concept app named TinderDrift (as seen in the video embedded below) to demonstrate how they were able to reconstruct a Tinder user's entire session on their laptop if that person was on the same public Wi-Fi network.
"The assumption that HTTP can be used in a sensitive application must be dropped," they added.
"Standard HTTP is vulnerable to eavesdropping and content modification, introducing potential threats that might not even be related to the app itself but the underlying operating system and/or used libraries."
Tinder said in a statement: "We take the security and privacy of our users seriously. We employ a network of tools and systems to protect the integrity of our platform.
"Like every other technology company, we are constantly improving our defences in the battle against malicious hackers. For example, our desktop and mobile web platforms already encrypt profile images, and we are working towards encrypting images on our app experience as well. However, we do not go into any further detail on the specific security tools we use or enhancements we may implement to avoid tipping off would be hackers."