Tinder security flaw lets hackers break into your account

Hackers could break into your Tinder account using just your phone number, experts say.

The security flaw in the popular dating app could let attackers access your entire chat history without the need for a password.

It takes advantage of a flaw in both the dating app’s login process as well as a piece of Facebook-developed software that it’s based on.

The finding comes hot on the heels of a pair of major security flaws discovered in January that threatened to reveal your every swipe and match to strangers.

 

Hackers could break into your Tinder account using just your phone number, experts say. The security flaw in the popular dating app could let attackers access to your entire chat history without the need for a password

Researchers at Indian computer security firm Appsecure uncovered the bug.

When you login to Tinder, it gives you the the option of using your phone number as a security identifier. 

This is then sent to Facebook’s Account Kit for authentication.

Appsecure found it could take this information and give anyone permission to access the account by generating a token, a string of data that contains the security credentials for a login session and identifies the user.

Experts also found that Tinder’s login system wasn’t double checking that these access tokens matched the associated user’s client ID, another string of data that identifies who a user is.

In a blog post Anand Prakash, who discovered the flaw, said: ‘The user clicks on Login with Phone Number on tinder.com and then they are redirected to Accountkit.com for login. 

‘If the authentication is successful then Account Kit passes the access token to Tinder for login.

‘Interestingly, the Tinder API was not checking the client ID on the token provided by Account Kit. 

‘This enabled the attacker to use any other app’s access token provided by Account Kit to take over the real Tinder accounts of other users.’ 

Both the vulnerabilities were fixed by Tinder and Facebook quickly, according to Mr Prakash.

Facebook rewarded him with $5,000 (£3,600) and Tinder paid out $1,250 (£900), as part of a programme to encourage bug reporting.

The fact that they existed in the first place may be cause for concern for users of the dating service.

The bug takes advantage of a flaw in both the dating app's login process as well as a piece of Facebook-developed software that it's based on. Appsecure found it could generate a string of code to give permission to anyone to access a Tinder account

The bug takes advantage of a flaw in both the dating app’s login process as well as a piece of Facebook-developed software that it’s based on. Appsecure found it could generate a string of code to give permission to anyone to access a Tinder account

When you login to Tinder, it gives you the the option of using your phone number as a security identifier. This is then sent to Facebook's Account Kit (pictured) for authentication

When you login to Tinder, it gives you the the option of using your phone number as a security identifier. This is then sent to Facebook’s Account Kit (pictured) for authentication

Tinder has since spoken out, however, to reassure its fanbase that the firm is working to address any vulnerabilities in its software.

In a written statement, a spokesman for Tinder said: ‘Security is a top priority at Tinder. 

‘Like other major global technology companies, we employ a network of tools and systems to protect the integrity of our platform. 

‘As part of our ongoing efforts in this arena, we employ a Bug Bounty Program and work with skilled security researchers across the globe to responsibly identify potential issues and quickly resolve them. 

‘At Tinder, we are constantly improving our protocols to not only meet, but exceed industry best practices. 

‘However, we do not discuss any specific security measures or strategies, so as not to tip off malicious hackers.’

Tinder has since spoken out to reassure its fanbase that the firm is working to address any vulnerabilities in its software

Tinder has since spoken out to reassure its fanbase that the firm is working to address any vulnerabilities in its software

HOW DID ONLINE DATING BECOME SO POPULAR?

The first ever incarnation of a dating app can be traced back to 1995 when Match.com was first launched.

The website allowed single people to upload a profile, a picture and chat to people online.

The app was intended to allow people looking for long-term relationships to meet.

eHarmony was developed in 2000 and two years later Ashley Madison, a site dedicated to infidelity and cheating, was first launched.

A plethora of other dating sites with a unique target demographic were set up in the next 10-15 years including: OKCupid (2004), Plenty of Fish (2006), Grindr (2009) and Happn (2013).

In 2012, Tinder was launched and was the first ‘swipe’ based dating platform. 

After its initial launch it’s usage snowballed and by March 2014 there were one billion matches a day, worldwide.

In 2014, co-founder of Tinder, Whitney Wolfe Herd launched Bumble, a dating app that empowered women by only allowing females to send the first message.

The popularity of mobile dating apps such as Tinder, Badoo and more recently Bumble is attributable to a growing amount of younger users with a busy schedule.

In the 1990s, there was a stigma attached to online dating as it was considered a last-ditch and desperate attempt to find love.

This belief has dissipated and now around one third of marriages are between couples who met online.

A survey from 2014 found that 84 per cent of dating app users were using online dating services to look for a romantic relationship.

Twenty-four per cent stated that that they used online dating apps explicitly for sexual encounters.



Read more at DailyMail.co.uk