Security experts at Checkmarx discovered two security vulnerabilities in the Tinder Android and iOS dating applications that could be exploited by an attacker on the same wi-fi network as a target to spy on users and modify their content. Attackers can view a target user’s Tinder profile, see the profile images they view and determine the actions they take.
“The vulnerabilities, found in both the app’s Android and iOS versions, allow an attacker using the same network as the user to monitor the user’s every move on the app. It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising orother type of malicious content (as demonstrated in the research).” reads the analysis published by Checkmarx.
“While no credential theft and no immediate financial impact are involved in this process, an attacker targeting a vulnerable user can blackmail the victim, threatening to expose highly private information from the user’s Tinder profile and actions in the app.”
An attacker can conduct many other malicious activities, including intercepting traffic and launching DNS poisoning attacks.
The first issue is related to the fact that both the iOS and Android Tinder apps download profile pictures via insecure HTTP connections, this means that an attacker can access the traffic to determine which profiles are viewed by a Tinder user.
“Attackers can easily discover what device is viewing which profiles,” continues the analysis. “Furthermore, if the user stays online long enough, or if the app initializes while on the vulnerable network, the attacker can identify and explore the user’s profile.” “Profile images that the victim sees can be swapped, rogue advertising can be placed and malicious content can be injected,”
Obviously, such kind of issue could be mitigated with the adoption of HTTPS.
Checkmarx also discovered another issue related to the use of HTTPS, the flaw was called “Predictable HTTPS Response Size”.
“By carefully analyzing the traffic coming from the client to the API server and correlating with the HTTP image requests traffic, it is possible for an attacker to determine not only which image the user is seeing on Tinder, but also which action did the user take.” states Checkmarx. “This is done by checking the API server’s encrypted response payload size to determine the action,”
An attacker that is in the position of analyzing the traffic can discover the user’s interest in a specific profile by detecting a 278-byte encrypted response that is delivered by the API server when he swipes left on a profile picture. Swiping right, the Tinder user likes a particular profile, in this case, the response generated is composed of 374 bytes.
The researchers also noticed that Tinder member pictures are downloaded to the app via HTTP connection, this makes possible for an attacker to view the profile images of those users being swiped left and right.
In order to mitigate this issue, researchers suggest padding requests, if the responses were padded to a fixed size, it would be impossible to discriminate the user’s action.
Checkmarx disclosed both vulnerabilities to Tinder.