The Checkmarx Security Research Team found disturbing vulnerabilities in a highly popular dating application used by people across the globe – Tinder. The report features how a malicious attacker can take advantage of these vulnerabilities to cause serious privacy breaches to an unsuspecting user.
Are you a Tinder user? As Rockwell described in his famous song, if you always feel like someone’s watching you, and you have no privacy – chances are, you might be right. After undergoing the responsible disclosure procedure with Tinder’s security team, Checkmarx’s Security Research Team decided to release their research describing two major Tinder vulnerabilities.
Launched in 2012, Tinder is one of the first “swiping apps” allowing users to swipe through profiles to ultimately make social connections; swiping right for a profile they like, swiping left to move on to the next profile indicating lack of interest or “super liking” with an upward swipe. The application is most commonly used as a dating platform, having matched over 20 billion people to date and used in 196 countries.
The vulnerabilities, found in both the app’s Android and iOS versions, allow an attacker using the same network as the user to monitor the user’s every move on the app. It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising or other type of malicious content (as demonstrated in the research).
While no credential theft and no immediate financial impact are involved in this process,
an attacker targeting a vulnerable user can blackmail the victim, threatening to expose highly private information from the user’s Tinder profile and actions in the app.
The research also raises an important question, how accustomed have we grown to lack of privacy? It seems that with all the large-scale attacks on our privacy, people are aware that every app they open is potentially a privacy risk. Can a highly popular matching app such as Tinder look the other way when such vulnerabilities are exposed? Should app makers publicize every single vulnerability or, with an overwhelming amount of “hacking” going on, is it OK to occasionally look the other way?
Knowing an ill-disposed attacker can view and document your every move on Tinder, who you like, or who you decide to chat with is definitely disturbing. But, is it enough to have you abandon the app altogether? Most apps nowadays seem to be vulnerable so what’s the alternative? Where do we, as users, draw the line? Is it at the smallest compromise of our privacy or do we shrug it off until sensitive data is stolen?
These questions are extremely important in our day and should be asked. The answers will ultimately determine the amount of effort companies such as Tinder, EA games and even Uber put into ensuring their apps are released vulnerability free (or as close to that as humanly possible).
With the up and coming EU GDPR, we can expect a positive turn in application security. That being said, it is still up to us, the users, to be our own watchdogs and draw a very clear line as to how forgiving we are to our privacy being compromised.
Until all application makers implement comprehensive application security testing solutions, we should probably still be cautious and mindful. This means avoiding public networks as much as possible, using HTTPS over HTTP and generally being aware of what might be happening over our virtual shoulder.
Click here to get your free copy of the research: Are You on Tinder? Someone May Be Watching You Swipe
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.