Tinder is an extremely popular application launched in 2012. It is mainly used as a dating platform in 196 countries and, on top of that, it has already helped more than 20 billion people to make social connections. Unfortunately, not everything is so perfect about it. Researchers at Checkmarx, a Tel Aviv-based security company, have made a disturbing finding – Tinder does not use HTTPS encryption currently. Instead, the application transmits all photos from/to users’ phones over HTTP, meaning that anyone on the same network, e.g. connected to the same free Wi-Fi, can get access to them or, for example, upload any photos they like. As for swipes, matches, names, and private messages Tinder users send to each other, they remain HTTPS-encrypted and thus cannot be accessed by intruders. Unfortunately, it is still possible to tell activities users perform on the app due to specific patterns of bytes. For example, 278 bytes represent a swipe left (to reject a potential date), 374 bytes represented a swipe right (to approve a potential date), and a match is equal to 581 bytes. It should be emphasized that we are talking here about both iOS and Android versions of Tinder – they both have security flaws. As Tinder spokesperson reported, luckily, the web-based Tinder version is HTTPS-encrypted and, as a consequence, there is nothing people using it should worry about.
The simple problem with Tinder is that the application does not use HTTPS encryption to encrypt profile pictures. As a consequence, an attacker using the same network (e.g. sharing the same Wi-Fi) can easily access these pictures. Not only profile pictures can be accessed, research conducted by specialists analyzing Tinder security issues has shown. Attackers can see pictures users’ are viewing as well. Luckily, as mentioned previously, all personal details, including names of people in photos, remain encrypted, so users’ identities are safe. What else attackers can do after intercepting traffic between users’ phones and Tinder servers is to replace images with different photos, display rogue advertisements, or even present users with malicious links opening websites containing malicious applications. Last but not least, they might try to steal personal information from users. According to specialists at Checkmarx, hackers might try to blackmail users if they manage to get some private information, e.g. sexual preferences.
Since the security issue we are talking about in this report is directly linked to the Tinder application, there is nothing individual users can do to fix this problem. Security experts say that it would be smart to stay away from unsecured Wi-Fi networks, e.g. of a coffee shop until the vulnerability is fixed because an attack can only work if a user and an attacker are sharing the same network. Keep in mind that hackers might set up Wi-Fi hotspots to have a chance to access more Tinder profiles, so never connect to suspicious networks.
HTTPS encryption is used by a number of websites these days, according to Mozilla statistics that can be found at letsencrypt.org. Secure websites can be recognized quite easily – there is a lock symbol next to the URL in the address bar. While 68% of all websites on the web are HTTPS-encrypted, security of both iOS and Android versions of Tinder still use HTTP and must be improved as soon as possible because the app cannot ensure the protection of users’ privacy even though many users feel safe.
Researchers say that Tinder should not only fix the issue of photos, i.e. encrypt them so that they could not be accessed by attackers having bad intentions in mind, but the company should also make it impossible to recognize specific users’ commands (e.g. swipes). This, for example, can be done by adding some noise in order to make all commands of the same size. Alternatively, they can simply make those commands indecipherable.
- Fowler, B. Flaws In Tinder App Put Users’ Privacy At Risk, Researchers say. Consumer Reports
- Free Images.
- Greenberg, A. Tinder’s Lack of Encryption Lets Strangers Spy On Your Swipes. Wired
- Let’s Encrypt Stats. Let’s Encrypt
- Liao, S. Hackers Can See Your Tinder Photos And Figure Out Your Matches. The Verge
- Weston, P. Your Tinder Secrets Could Be Exposed: Massive Security Flaws In the App Could Let Strangers Hijack Your Photos, Spy On Your Swipes And See Pictures Of All Your Matches. Mail Online
- Zahger, D. Are You On Tinder? Someone May Be Watching You Swipe. Checkmarx