Tinder’s inability to utilize HTTPS encryption for images as well as the use of recognizable data patterns for other commands allow attackers to track in-app activities of users, Tel Aviv-based security firm Checkmarx announced yesterday. Since Tinder does not use HTTPS encryption for photographs, the images seen by the user can be intercepted and seen by any attackers who are on the same Wi-Fi network. The lack of HTTPS encryption also allows attackers to inject images into the user’s Tinder photostream. Moreover, the security researchers observed that while the other data transmitted by Tinder is encrypted, they were still able to retrieve sufficient information that can be used to tell the different in-app actions apart. For example, the swipe left gesture, which rejects a potential date, is represented by a data pattern of 278 bytes, while the data pattern for the swipe right gesture has a length of 374 bytes. On the other hand, a match is represented by a data pattern of 581 bytes.
In order to demonstrate how the security flaw can be exploited, the researchers from Checkmarx developed a “proof-of-concept” software dubbed TinderDrift. The software combines both the intercepted images and the data pattern length of different in-app commands in order to reconstruct how the individual used the application. The software can also label any images that were accepted or rejected by the person. In order for the software to work, all the attacker needs to do is to connect a laptop running the software to a Wi-Fi network on which other people are using Tinder. The researchers noted that the data obtained by exploiting the vulnerability can be used to blackmail users.
The security researchers stated that they have informed Tinder about the vulnerability back in November, although it seems that the company has not yet resolved the issue. Tinder reiterated that it is committed to protecting its users from attackers in response to the findings. The company noted that it is already using HTTPS encryption for the web interface of the dating app. In order for the app to be fully secured against attackers, Checkmarx recommended Tinder to encrypt its mobile images and ensure that the data patterns used by other commands have random and different lengths.