PROMISCUITY PROPAGATOR Tinder has been found to harbour a flaw that could've allowed hackers to take over an account with just a phone number.
Tinder rushed to plug the hole highlighted by cybersecurity company AppSecure, which stems from how the Tinder app authenticates logins using Facebook's Account Kit service.
As Tinder uses Facebook profile pics for its users to lure in a mate or several, the 'dating' app is somewhat tied to the social network. When a swipe-hungry Tinder user comes to login to their account they can either do so via Facebook or use their mobile number.
With the latter, if the authentication is successful, Account Kit passes on an access token to Tinder. But AppSecure found that Tinder wasn't checking the client ID on the token, meaning anyone could use any token provided by Account Kit and use it to access any Tinder profile.
Tinder doesn't hold vast amounts of private and sensitive data, given users would then be exposing themselves to other thirsty users. But a compromised account could be used to wreak havoc for the legitimate user, matching them with people the wouldn't touch with a cattle prod and swiping left on people who would usually see them retire to their rooms for a bit of... ahem... self-reflection.
To access the Account Kit token takes a little security know-how and skill, but the process isn't as complicated as some hacks, as AppSecure demonstrated in a proof of concept video (below).
It also relies on not just the lack of token ID checking by Tinder, but also a vulnerability in Account Kit, which exposed a user's token through a relatively straightforward application programming interface (API) request.
Facebook has since fixed the security hole and rewarded AppSecure's researchers with $5,000; Tinder offered $1,250 for spotting the bug on its side.
Such login and authentication flaws are sadly rather commonplace in the app world, but they often pose little risk outside the meddling of cyber security researchers, unlike the devastating macOS High Sierra password flaw. µ
Flagship will launch a day early to avoid being 'overshadowed' by Apple
EC says merged entity will 'continue to face significant competition'
Alexa, give me a reason to be cheerful about the UK economy
No, it isn't 1 April