In the News

Are You on Tinder? Someone May Be Watching You Swipe

23 Jan 2018 | By Dafna Zahger

After undergoing the responsible disclosure procedure with Tinder’s security team, Checkmarx’s Security Research Team decided to release their research describing two major Tinder vulnerabilities.

 

Launched in 2012, Tinder is one of the first “swiping apps” allowing users to swipe through profiles to ultimately make social connections; swiping right for a profile they like, swiping left to move on to the next profile indicating lack of interest or “super liking” with an upward swipe. The application is most commonly used as a dating platform, having matched over 20 billion people to date and used in 196 countries.

After undergoing the responsible disclosure procedure with Tinder’s security team, Checkmarx’s Security Research Team decided to release their research describing two major Tinder vulnerabilities.

 

Launched in 2012, Tinder is one of the first “swiping apps” allowing users to swipe through profiles to ultimately make social connections; swiping right for a profile they like, swiping left to move on to the next profile indicating lack of interest or “super liking” with an upward swipe. The application is most commonly used as a dating platform, having matched over 20 billion people to date and used in 196 countries.


</close>

Tinder Security Bug: Encryption Flaw Exposes Photos, Swipes To Hackers

23 Jan 2018 | By AJ Dellinger

Application security testing company Checkmarx first identified the issue , which allows an attacker to decode encryption signatures in both the iOS and Android version of Tinder to see what actions a user took while viewing the profile of another user.

According to the researchers, most aspects of Tinder uses the HTTPS communications protocol, which creates a secure and encrypted tunnel that allows information to travel between the user’s device and Tinder’s servers while using the app.

Application security testing company Checkmarx first identified the issue , which allows an attacker to decode encryption signatures in both the iOS and Android version of Tinder to see what actions a user took while viewing the profile of another user.

According to the researchers, most aspects of Tinder uses the HTTPS communications protocol, which creates a secure and encrypted tunnel that allows information to travel between the user’s device and Tinder’s servers while using the app.


</close>

Tinder flaws could expose your swipes to prying eyes

23 Jan 2018 | By Swapna Krishna

Today, the security firm Checkmarx released troubling information about two vulnerabilities within Tinder, the popular dating app. The issues are present in both the iOS and Android app and allow a user on the same network to monitor what a person is doing on Tinder. Additionally, an attacker could control the pictures a user sees on Tinder; it's possible to swap them out for malicious content.

It's important to note that what a hacker could do through these flaws is relatively narrow, but it does allow a person to gain access to sensitive personal information. The issue is due to a lack of HTTPS encryption on photos; other elements of the app that do require this kind of encryption still leaked enough information to be able to monitor a user's actions.

Today, the security firm Checkmarx released troubling information about two vulnerabilities within Tinder, the popular dating app. The issues are present in both the iOS and Android app and allow a user on the same network to monitor what a person is doing on Tinder. Additionally, an attacker could control the pictures a user sees on Tinder; it’s possible to swap them out for malicious content.

It’s important to note that what a hacker could do through these flaws is relatively narrow, but it does allow a person to gain access to sensitive personal information. The issue is due to a lack of HTTPS encryption on photos; other elements of the app that do require this kind of encryption still leaked enough information to be able to monitor a user’s actions.


</close>

Tinder flaws could expose your swipes to prying eyes

23 Jan 2018 | By Swapna Krishna

Today, the security firm Checkmarx released troubling information about two vulnerabilities within Tinder, the popular dating app. The issues are present in both the iOS and Android app and allow a user on the same network to monitor what a person is doing on Tinder. Additionally, an attacker could control the pictures a user sees on Tinder; it's possible to swap them out for malicious content.

It's important to note that what a hacker could do through these flaws is relatively narrow, but it does allow a person to gain access to sensitive personal information. The issue is due to a lack of HTTPS encryption on photos; other elements of the app that do require this kind of encryption still leaked enough information to be able to monitor a user's actions.

Today, the security firm Checkmarx released troubling information about two vulnerabilities within Tinder, the popular dating app. The issues are present in both the iOS and Android app and allow a user on the same network to monitor what a person is doing on Tinder. Additionally, an attacker could control the pictures a user sees on Tinder; it’s possible to swap them out for malicious content.

It’s important to note that what a hacker could do through these flaws is relatively narrow, but it does allow a person to gain access to sensitive personal information. The issue is due to a lack of HTTPS encryption on photos; other elements of the app that do require this kind of encryption still leaked enough information to be able to monitor a user’s actions.


</close>

APP FLAWS ALLOW SNOOPS TO SPY ON TINDER USERS, RESEARCHERS SAY

23 Jan 2018 | By Christopher Kanaracus

Researchers at Checkmarx say they have discovered a pair of vulnerabilities in the Tinder Android and iOS dating applications that could allow an attacker to snoop on user activity and manipulate content, compromising user privacy and putting them at risk.

Attackers can view a user’s Tinder profile, see the profile images they view and determine the actions they take, such as swiping left or right, if they are on the same wi-fi network as a target, according to a Checkmarx report released Tuesday.

Researchers at Checkmarx say they have discovered a pair of vulnerabilities in the Tinder Android and iOS dating applications that could allow an attacker to snoop on user activity and manipulate content, compromising user privacy and putting them at risk.

Attackers can view a user’s Tinder profile, see the profile images they view and determine the actions they take, such as swiping left or right, if they are on the same wi-fi network as a target, according to a Checkmarx report released Tuesday.


</close>

Hackers can see your Tinder photos and figure out your matches

23 Jan 2018 | By Shannon Liao

Tinder isn’t using encryption to keep your photos safe from strangers who are sharing the same coffee shop Wi-Fi as you, security researchers found in a report today. Researchers from the Tel Aviv-based firm Checkmarx found that Tinder’s iOS and Android mobile apps still lack basic HTTPS encryption, meaning that anyone sharing the same Wi-Fi as you can see your Tinder photos or add their own into the photostream.

The firm built a proof-of-concept app called TinderDrift, demoed on YouTube, that can reconstruct a user’s session on Tinder if that person is sharing the same Wi-Fi. Although swipes and matches on Tinder remain HTTPS-encrypted, potential hackers on the network can still tell encrypted commands apart due to the specific patterns of bytes that represent a left swipe, a right swipe, a Super Like, and a match, according to Checkmarx.

Tinder isn’t using encryption to keep your photos safe from strangers who are sharing the same coffee shop Wi-Fi as you, security researchers found in a report today. Researchers from the Tel Aviv-based firm Checkmarx found that Tinder’s iOS and Android mobile apps still lack basic HTTPS encryption, meaning that anyone sharing the same Wi-Fi as you can see your Tinder photos or add their own into the photostream.

The firm built a proof-of-concept app called TinderDrift, demoed on YouTube, that can reconstruct a user’s session on Tinder if that person is sharing the same Wi-Fi. Although swipes and matches on Tinder remain HTTPS-encrypted, potential hackers on the network can still tell encrypted commands apart due to the specific patterns of bytes that represent a left swipe, a right swipe, a Super Like, and a match, according to Checkmarx.


</close>

Major Tinder security flaw could enable hackers to spy on your swipes

23 Jan 2018 | By Chris Smith

The security flaw, which Checkmarx demonstrated in a proof-of-concept app, enables a third party to intercept images, provided the user is on the same Wi-Fi network.

The malicious individual could even use the exploit to insert their own photos into the unsuspecting user’s stream.

The security flaw, which Checkmarx demonstrated in a proof-of-concept app, enables a third party to intercept images, provided the user is on the same Wi-Fi network.

The malicious individual could even use the exploit to insert their own photos into the unsuspecting user’s stream.


</close>

Swipe fright: Tinder hackers may know how desperate you really are

23 Jan 2018 | By Shaun Nichols

A lack of security protections in Tinder's mobile app is leaving lonely hearts vulnerable to eavesdropping.

That's according to security biz Checkmarx this week, which claimed Android and iOS builds of the dating app fail to properly encrypt network traffic, meaning the basic actions of peeps looking to hookup – such as swipes on profiles – could be collected by anyone on the same Wi-Fi or carrying out similar snooping.

A lack of security protections in Tinder’s mobile app is leaving lonely hearts vulnerable to eavesdropping.

That’s according to security biz Checkmarx this week, which claimed Android and iOS builds of the dating app fail to properly encrypt network traffic, meaning the basic actions of peeps looking to hookup – such as swipes on profiles – could be collected by anyone on the same Wi-Fi or carrying out similar snooping.


</close>

Vulnerabilities let people see your Tinder swipes and photos

23 Jan 2018 | By Alfred Ng

You might want to swipe left on Tinder's security.

Researchers at Checkmarx, which helps developers test the security of their applications, said in a blog post Tuesday that the popular dating app has a couple of vulnerabilities. The flaws could let an attacker on the same Wi-Fi network you're using see what profile photos you're looking at and whether you swipe right or left, Checkmarx said. That's because profile pictures on Tinder use HTTP instead of HTTPS, the encrypted protocol that more than half the internet uses to protect data from prying eyes.

You might want to swipe left on Tinder’s security.

Researchers at Checkmarx, which helps developers test the security of their applications, said in a blog post Tuesday that the popular dating app has a couple of vulnerabilities. The flaws could let an attacker on the same Wi-Fi network you’re using see what profile photos you’re looking at and whether you swipe right or left, Checkmarx said. That’s because profile pictures on Tinder use HTTP instead of HTTPS, the encrypted protocol that more than half the internet uses to protect data from prying eyes.


</close>

2018 DevOps Predictions

18 Dec 2017 | By

In 2018 one major change we will see as it relates to Application Security (AppSec) is that there will be a reduction of organizations running their own dynamic application security testing (DAST). Many organizations will begin to leverage interactive application security testing (IAST), validating the results by running DAST-as-a-Service. Looking past 2018, the application security testing portfolio will continue to grow with an increase of statistic application security testing (SAS[[AA]] T) as part of the development environment. There will also be a stronger emphasis of security (Sec) into DevOps and will allow developers to take a more active role and ownership in identifying and remediating code vulnerabilities. The DevOps world will be the first to adapt IAST solutions that are able to leverage automation tests to deliver security analysis in real time.

In 2018 one major change we will see as it relates to Application Security (AppSec) is that there will be a reduction of organizations running their own dynamic application security testing (DAST). Many organizations will begin to leverage interactive application security testing (IAST), validating the results by running DAST-as-a-Service. Looking past 2018, the application security testing portfolio will continue to grow with an increase of statistic application security testing (SAS[[AA]] T) as part of the development environment. There will also be a stronger emphasis of security (Sec) into DevOps and will allow developers to take a more active role and ownership in identifying and remediating code vulnerabilities. The DevOps world will be the first to adapt IAST solutions that are able to leverage automation tests to deliver security analysis in real time.


</close>