Your every swipe and match on Tinder could be revealed to strangers.
Researchers have uncovered two massive security flaws in the dating app that will show your activity to hackers who are using the same Wifi network.
Due to a lack of ‘basic’ security measures, hackers can see photos, sexual preferences and matches – and even inject their own images into a user’s photo stream.
Fortunately, private messages are currently safe from prying eyes.
While Tinder was informed of the flaws in November, it has yet to provide a fix.
Think twice before swiping right on Tinder in a public place. Your Tinder photos and private information about your sex life could be visible to the prying eyes of strangers using the same WiFi network as you
Launched in 2012, Tinder allows people to swipe through profiles to make social connections – swiping right to like and swiping left to move on to the next profile.
Used largely as a dating platform, 20 billion people have matched on the app in more than 196 countries.
Researchers from Tel Aviv-based security firm Checkmarx found it is possible for a hacker to take control of profile pictures and swap them for inappropriate content and rogue advertising.
One of the major issues is that the app does not currently use HTTPS encryption.
Instead, the app transmits pictures to and from the phone over unprotected HTTP, making it easy to intercept by anyone on the same network.
If a computer uses HTTPS it means it agrees on a code that scrambles messages meaning no one in between can read them.
However, if there is no HTTPS protection, these messages are not scrambled from the prying eyes of others.
An attacker that knows a user’s sexual preference could blackmail the victim and threaten to expose highly private information from the user’s Tinder profile, researchers warn.
Tinder’s iOS and Android mobile apps are still lacking basic encryption so your photos could appear in someone else’s photostream, security researchers have revealed
Researchers warn that by combining intercepted photos and encrypted comments, hackers could find out almost everything someone is doing on the app
An attacker that knows a user’s sexual preference could blackmail the victim and threaten to expose highly private information from the user’s Tinder profile
As well as lack of HTTPS, the researchers used a few additional ways get data from Tinder.
They found that different actions, even if encrypted, produced different patterns of bytes that were still recognizable.
A swipe to the left represents 278 bytes, a swipe right is 374 bytes and a match rings up 581, writes Wired.
The combination of these two simple vulnerabilities creates a huge privacy issue.
Hackers found they could even inject their own images into another user’s photo stream.
‘Knowing an ill-disposed attacker can view and document your every move on Tinder, who you like, or who you decide to chat with is definitely disturbing’, researchers wrote in their blog.
‘The answers will ultimately determine the amount of effort companies such as Tinder, EA games and even Uber put into ensuring their apps are released vulnerability free (or as close to that as humanly possible)’, researchers wrote.
Security experts recommended that until all application makers implement comprehensive security testing solutions, users should be cautious about using the app on public networks.
Launched in 2012, Tinder allows people to swipe through profiles to make social connections – swiping right to like and swiping left to move on to the next profile
Researchers say this technique does not expose Tinder messages users send to each other after matching.
To demonstrate the app’s vulnerabilities, Checkmarx built proof-of-content software called TinderDrift.
If users run it on a laptop connected to any WiFi network it automatically reconstructs the whole session.
TinderDrift even labels photos as approved, rejected or matched in real time.
MailOnline has contacted Tinder for comment.