Love is blind but it shouldn’t make you blind to concerns about security and data privacy. That’s why this latest security scared about Tinder has raised eyebrows.
Israeli startup Checkmarx recently discovered that photos in Tinder are not encrypted and anyone using the same public Wi-Fi as you can easily snoop on all your activity included photos of you and other users, matches, and swipes while you try to find a date.
On finding out that Tinder‘s channel which deals with the transfer of photos uses an insecure HTTP connection, researchers at Checkmarx managed to peep into the Tinder feed of users on the same Wi-Fi network and even inject their own pictures. Security researchers also forged a way to look into the text-based information on Tinder which is usually encrypted.
“You know everything: What they’re doing, what their sexual preferences are, a lot of information“, remarks Erez Yalon, the manager of applications security at Checkmarx. The team built a program called “TinderDrift” to demonstrate its claims. Running TinderDrift on a laptop which is connected to a Wi-Fi where others are likely to be finding love on fingertips, the team was able to completely take over the feed of other users.
Furthermore, it used cues like the size of commands in bytes to decipher encrypted data. For instance, a left swipe is backed by 278 bytes of information, while a right swipe takes up 374 bytes. Using this with the intercepted stream of images, TinderDrift could easily deconstruct approvals and matches in real-time.
Checkmarx reported that it had informed Tinder of the vulnerabilities back in November but the company is yet to resolve the issue.
The app’s spokesperson responded to WIRED’s inquiry, claiming that Tinder’s profile photos are public and that the web version of Tinder is HTTPS-secured. It was further promised that Tinder is working to encrypt images on the app, but the company avoided going into details of the security protocols involved.