Tinder's Encryption Void Leaves Your Dating Travails Visible To Stalkers

Tinder is a popular dating app that matches people up using swipes. If you thought that all the people you were swiping left or right on were private and only you and the people you swiped knew about them, you might be wrong. Security researchers have found a flaw that could allow those swipes to be captured and exposed.


The crux of the issue is that Tinder doesn't use HTTPS encryption for fetching images reports a security firm called Checkmarx. This lack of encryption means that your Tinder activity could be exposed over a local Wi-Fi network, allowing a nefarious or nosey character to see your Tinder likes and matches in real time. The researchers offered up a demonstration of the attack via a YouTube video.

The attack is performed using a program that the researchers created called "TinderDrift". That software takes advantage of a pair of Tinder flaws, including the lack of HTTPS encryption. When you are looking at a new dating profile via Tinder, the non-encrypted HTTP request sent over the network leaves the entire request exposed, including the web address for the image you are viewing.

The other vulnerability the software takes advantage of is one that allows digital stalkers to discover your swipe data. The dating app indicates a left swipe, which is Tinder for profiles you don't like when it sends 278 bytes of encrypted data to the image servers of the company. If you like the profile and swipe right, the researchers say that the Tinder app sends 374 bytes of data. If the Tinder user matches with another Tinder user, the app sends 581 bytes of data.

By knowing how much data is sent to the Tinder servers, the software can determine if you liked, disliked, or matched with profiles. The software can spy on the Tinder app running on nearby smartphones, but there are some limitations. It only works if the hacker and the Tinder user are on the same Wi-Fi network.

The researchers do point out that neither of the vulnerabilities used by their software open up credit card numbers or passwords for accounts, making these hacks uninteresting for garden-variety hackers looking for money and access. "Knowing an ill-disposed attacker can view and document your every move on Tinder, who you like, or who you decide to chat with is definitely disturbing," the researchers said.

Tags:  security, App, Hack, Tinder