Anyone Could Hack into Your Tinder Account Using Just a Phone Number

Feb 21, 2018

Attackers could hack into any Tinder account using just a phone number, security researcher has revealed. The bug exploited the way the dating service used Facebook’s Account Kit to enable its users to login through their phone numbers. However, hackers could have used this “convenience” to hack into Tinder accounts using just the phone number of the target.

Facebook explains its Account Kit as a service that could be used to let “people quickly register for and login to your app by using just their phone number or email address – no password needed.” In his latest bug discovery, Anand Prakash reported that the Tinder API wasn’t checking the Client ID on the token provided by Account Kit during the login process – a flaw that could have been exploited by attackers to use any other app’s access token to take over Tinder accounts.

Related How to Check If Your Account Data Was Stolen in Yet Another Facebook Hack

“Once in, the attacker could have got hold of the user’s access token of Account kit present in cookies (aks),” he wrote. “Post that, the attacker could use the access token (aks) to log into the user’s Tinder account using the vulnerable API.”

Using this vulnerability, attacker would get complete control of the target account.

The attacker basically has full control over the victim’s account now  – he can read private chats, full personal information, swipe other user profiles left or right, etc.

The bug has been fixed now by the engineering teams of Facebook and Tinder. Both the companies paid the ethical hacker for his responsible bug disclosure. The 24-year-old received $5,000 from Facebook and $1,250 from Tinder in bug bounty.

– More technical details of this now-fixed bug are available over at Prakash’s Medium post.