Just a few short weeks after Tel Aviv-based security firm Checkmarx detailed a security vulnerability in Tinder that can potentially allow users’ swipes, matches and photos to be hacked on public Wi-Fi, researchers at Appsecure have published a report about yet another vulnerability in the popular dating app that originated from a software flaw in Tinder’s own API, as well as Facebook’s Account Kit SDK that the dating service’s login process is based on.
The flaw was fixed after Appsecure contacted the two companies, but while active it let anyone access other people’s Tinder accounts with just their phone number. According to Appsecure’s Anand Prakash, the problem stemmed from the fact that, “the Tinder API was not checking the client ID on the token provided by Account Kit. This enabled the attacker to use any other app’s access token provided by Account Kit to take over the real Tinder accounts of other users”.
Below is the actual video of how the vulnerability worked.
https://www.youtube.com/watch?v=tIAxmZt1joY
As mentioned already, the vulnerabilities were fixed by Tinder and Facebook fairly soon after being contacted by Appsecure. According to Prakash, the company even received a bug bounty of $5000 and $1250 from Facebook and Tinder respectively for its report.
In a statement released to The Verge, Facebook confirmed that it has fixed the issue for good, adding that the company is “grateful to the researcher who brought it to our attention”. On its part, Tinder declined to comment on the details of this case, but released the following statement: “Security is a top priority at Tinder. However, we do not discuss any specific security measures or strategies, so as not to tip off malicious hackers”.
