Researchers of the cybersecurity agency Checkmarx from Tel Aviv found that Tinder does not have a standard HTTPS encryption protocol. Any user connected to the same Wi-Fi with you can see your photos in Tinder or even post your own. The protocol is not protected only by photos – the rest of the application data is encrypted, however, according to Checkmarx experts, hackers can still merge enough information to recognize encrypted commands and understand when the user looks like left, right or finds a pair.It’s like an attacker will look at your phone over your shoulder. Researchers argue that such a vulnerability can lead to unpleasant consequences – from simple cases of voyeurism to blackmail.
To demonstrate the vulnerability of Tinder, Checkmarks developed the experimental program TinderDrift. If you run it on a laptop connected to a Wi-Fi network that contains Tinder users, you can automatically recreate the full picture of their session.
Experts found that various actions in the application are transmitted as a certain number of bytes so that they can be recognized even in an encrypted form. For example, the scalp to the left is 278 bytes, to the right – 374, and the detection of the pair is 581 bytes. Thus, TinderDrift can mark which photo was approved or rejected. Fortunately, according to experts, the program is not able to decrypt messages exchanged by a couple in Tinder.
Checkmarx informed Tinder about the vulnerability back in November, but the problem remains unresolved. The official representative of Tinder said that the company is constantly working to improve protection against hackers, and noted that he would pay attention to the situation with photos (although he did not say anything about the actions with these photos). The company also said that the HTTPS protocol works in the web version of the application and in the future it will appear in the application.
For several years HTTPS has been the standard protection for any application or site that cares about the privacy of users. About how dangerous the disregard for this protocol, talked about back in 2010, when there was an anexperimental extension for Firefox Firesheep. This extension allows anyone to unload all unencrypted traffic from the local network. Since then almost every major technology company has been using HTTPS, except, as it turned out, Tinder. Encryption requires a certain performance, but modern servers and phones can easily cope with it. “In our time, there is not a single valid reason for not using HTTPS,” Yalon commented.
To eliminate the vulnerability, Checkmarx offers Tinder not only to encrypt photos but also to strengthen the protection of commands by adding “noise” to their files so that they are transferred to the same size. It’s not known when exactly Tinder will solve the problem, so be careful when uploading photos to Tinder by connecting to public Wi-Fi.
(Cyberops, Cyberops Infosec, VAPT, Cyber Security, Ethical Hacking, Secured Application Development)