Researchers at Checkmarx say they have discovered a pair of vulnerabilities in the Tinder Android and iOS dating applications that could allow an attacker to snoop on user activity and manipulate content, compromising user privacy and putting them at risk.
Attackers can view a user’s Tinder profile, see the profile images they view and determine the actions they take, such as swiping left or right, if they are on the same wi-fi network as a target, according to a Checkmarx report released Tuesday.
“Other scenarios where an attacker can intercept traffic include VPN or company administrators, DNS poisoning attacks or a malicious internet service provider – to name a few,” researchers wrote.
One vulnerability lies in the fact that currently, both the iOS and Android versions of Tinder download profile pictures via insecure HTTP connections, Checkmarx said.
“Attackers can easily discover what device is viewing which profiles,” the researchers wrote. “Furthermore, if the user stays online long enough, or if the app initializes while on the vulnerable network, the attacker can identify and explore the user’s profile.”
Researchers said the vulnerability also could allow an attacker to intercept and modify traffic. “Profile images that the victim sees can be swapped, rogue advertising can be placed and malicious content can be injected,” they said.
Checkmarx recommends all Tinder application traffic be moved to HTTPS. “One might argue that this affects speed quality, but when it comes to the privacy and sensitivity needed, speed should not be the main concern,” it said.
Tinder couldn’t immediately be reached for comment for this report.
Beyond the use of insecure HTTP, Checkmarx found an issue with Tinder’s use of HTTPS. Researchers call this vulnerability a “Predictable HTTPS Response Size”.
“By carefully analyzing the traffic coming from the client to the API server and correlating with the HTTP image requests traffic, it is possible for an attacker to determine not only which image the user is seeing on Tinder, but also which action did the user take. This is done by checking the API server’s encrypted response payload size to determine the action,” researchers said.
For example, when a user swipes left on a profile picture, indicating a lack of interest in a profile, the API server delivers a 278 byte encrypted response. Swiping right, which means a user likes a particular profile, generates a 374 byte response, Checkmarx said.
Because Tinder member pictures are downloaded to the app via an insecure HTTP connection, it’s possible for an attackers to also view the profile images of those users being swiped left and right.
“User responses should not be predictable,” the researchers wrote. “Padding the requests and responses should be considered in order to reduce the information available to an attacker. If the responses were padded to a fixed size, it would be impossible to differentiate between them.”
It disclosed both vulnerabilities to Tinder prior to the report’s publication. Checkmarx calculated a CVSS base score of 4.3 for both vulnerabilities.
While it’s unclear whether an attacker has already exploited the vulnerabilities, doing so could expose Tinder users to blackmail and other threats, beyond an invasion of their privacy, Checkmarx said.