Tinder vulnerability let hackers take over accounts with just a phone number

An easy-to-exploit bug has left Tinder accounts and private chats exposed to hackers, revealed a researcher this week.

Indian engineer Anand Prakash, a serial bug hunter, said on Wednesday, 20 February, that a flaw in a Facebook-linked program called Account Kit let attackers access profiles armed with just a phone number. Account Kit has been implemented on Tinder and it has been used by developers to let users log on to a range of apps using mobile details or email addresses without a password.

That should not have been enough for an account takeover by itself, but Tinder’s implementation of Account Kit had its own vulnerability. Tinder’s login system wasn’t verifying access tokens against their associated client ID, which meant anyone with a valid access token could take over an entire account. Chained together, the two vulnerabilities let researchers completely take over a Tinder account — with full access to the user’s profile and chats — starting from only a phone number.

According to Prakash, an ethical hacker known for finding bugs in popular websites, until recently, there was a crack in this process that could let hackers compromise "access tokens" from users' cookies. The attacker could then exploit a bug in Tinder to use the token, which stores security details, and log in to the dating account with little fuss.

Earlier this year, on 23 January, a different set of “disturbing” vulnerabilities were found in Tinder's Android and iOS apps by Checkmarx Security Research Team.

Experts said hackers could use them to take control of profile pictures and swap them for “inappropriate content, rogue advertising or other type of malicious content.” The firm claimed that nefarious attackers could “monitor the user's every move” on the application.

A bug within Tinder is problematic as the app boasts an estimated 50 million users worldwide with roughly 40 percent of them based in North America, and a million dates facilitated a week according to the website, along with 1.6 billion swipes a day.

Tinder declined to comment on the specifics of the report. “Security is a top priority at Tinder,” a representative said, “However, we do not discuss any specific security measures or strategies, so as not to tip off malicious hackers.”

Post a Comment Blogger