Tinder Is Yet to Say Hello to HTTPS – Lack of Encryption Enables Attackers to Spy on Photos and Swipes
Attackers can see images downloaded by Tinder users and do a lot more thanks to some security flaws in the dating app. Security researchers at Checkmarx said that Tinder's mobile apps lack the standard HTTPS encryption that is important to keep photos, swipes, and matches hidden from snoops. "The encryption is done in a method which actually allows the attacker to understand the encryption itself, or derive from the type and length of the encryption what data is actually being used," Amit Ashbel of Checkmarx said.
While Tinder does use HTTPS for secure transfer of data, when it comes to images, the app still uses HTTP, the older protocol. The Tel Aviv-based security firm added that just by being on the same network as any user of Tinder - whether on iOS or Android app - attackers could see any photo the user did, inject their own images into their photo stream, and also see whether the user swiped left or right.
This lack of HTTPS-everywhere results in leakage of information that the researchers wrote is enough to tell encrypted commands apart, enabling attackers to watch everything when on the same network. While the same network issues are often considered not that severe, targeted attacks could result in blackmail schemes, among other things. "We can simulate exactly what the user sees on his or her screen," says Erez Yalon of Checkmarx said.
"You know everything: What they’re doing, what their sexual preferences are, a lot of information."
Tinder Drift - two different issues result in privacy concerns (web platform not vulnerable)
The problems stem from two different vulnerabilities - one is the use of HTTP and another is the way encryption has been deployed even when the HTTPS is used. Researchers said that they found different actions produced different patterns of bytes that were recognizable even though they were encrypted. For example, a left swipe to reject is 278 bytes, a right swipe is represented by 374 bytes, and a match at 581 bytes. This pattern combined with the use of HTTP for photos results in major privacy issues, enabling attackers to see what action has been taken on those images.
"If the length is a specific size, I know it was a swipe left, if it was another length, I know it was swipe right," Yalon said. "And since I know the picture, I can derive exactly which picture the victim liked, didn't like, matched, or super matched. We managed, one by one to connect, with each signature, their exact response."
"It's the combination of two simple vulnerabilities that create a major privacy issue."
The attack remains completely invisible to the victim because attacker isn't "doing anything active," and is just using a combination of HTTP connections and the predictable HTTPS to snoop into target's activity (no messages are at risk). "The attack is completely invisible because we're not doing anything active," Yalon added.
"If you're on an open network you can do this, you can just sniff the packet and know exactly what's going on, while the user has no way to prevent it or even know it has happened."
Checkmarx informed Tinder of these issues back in November, however, the firm is yet to fix the problems. When contacted, Tinder said that its web platform encrypts profile images, and the company is "working towards encrypting images on our app experience as well." Until that happens, assume someone is watching over your shoulder while you make that swipe on a public network...