SEX AND DATING app Tinder lacks basic HTTPS encryption for its photos, enabling any marginally tech savvy Wi-Fi lurkers to spy on a user's pics.
Israeli cyber security firm Checkmark noted that the lack of HTTPS encryption on the photos section of the app, enabled them to snoop on a Tinder user's pictures of they were on the same Wi-Fi connection.
While the modus operandi of Tinder is to basically have stranger swiping through your selected photos, the researchers found that they could also exploit the lack of HTTPS to insert their own images into a user's photo stream - not the kind of insertion a lot of Tinder fans will be looking for.
"It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising or other type of malicious content," Checkmark's blog explained.
Other user data in Tinder is protected with HTTPS. But the Checkmark researchers found it still leaked enough information in the form of patterns of bytes for them to figure out what a user was doing in the app, such as swiping right to express an interest in a luck guy or gal.
"While no credential theft and no immediate financial impact are involved in this process, an attacker targeting a vulnerable user can blackmail the victim, threatening to expose highly private information from the user's Tinder profile and actions in the app," noted Checkmark.
Now to exploit such vulnerabilities, you'll likely need to be a bit savvy with Wi-Fi networks and code.
But Checkmark created a proof-of-concept hacking software called TinderDrift, which makes a mockery of the lack of HTTPS by picking up Tinder activity on a local network and essentially reconstructing a Tinder user's activity.
Checkmark says it alerted Tinder to the vulnerabilities and exploit potential, but the company has yet to respond or fix the security holes.
Tinder did swipe right on Wired's request for comment and noted that it is working on adding HTTPS to its photos and that the web app makes use of the secure protocol.
"We are working towards encrypting images on our app experience as well," the spokesperson told Wired.
"However, we do not go into any further detail on the specific security tools we use, or enhancements we may implement to avoid tipping off would be hackers."
It looks like Tinder has some work to do to shore-up the security of its app. But we doubt the lack of HTTPS will see horny users shy-away from the Tinder and its ability to rapidly facilitate a roll in the hay anytime soon. µ
Changes ownership of crucial Linux system folders without users' permission
Could also make them waterproof, well.. kinda
Also, desperate space filling in the pre-MWC lull
Xperia XZ2 and XZ Compact leak in full just days before official launch