Slashdot Mirror

← Back to Stories (view on slashdot.org)

Eavesdropping On Tinder: Researcher Demonstrates Man-in-the-Middle Attacks (hert.org)

Posted by EditorDavid on from the three's-a-crowd dept.

An anonymous Slashdot reader writes: Security expert Anthony Zboralski posted on HERT a social engineering attack for Tinder that lets you perform a man-in-the-middle attack against unsuspecting users. Zboralski says, "Not only we can eavesdrop on the conversation of two strangers, we can also change their reality." The attack can easily be extended to SMS, Whatsapp, iMessage and voice.
"At some point people exchange phone numbers and the Tinder convo stops. That's not a problem..." Zboralski explains, suggesting more ways to continue the man-in-the-middle exploits..

His article drew a response from Tinder, arguing they "employ several manual and automated mechanisms" to deter fake and duplicate profiles. But while they're looking for ways to improve, "ultimately, it is unrealistic for any company to positively validate the real-world identity of millions of users while maintaining the commonly expected level of usability."

19 comments

  1. MitM by FrankHaynes · · Score: 4, Funny

    Would a man-in-the-middle attack on Tinder amount to a 3-way?

    --
    slashdot: A failed experiment.
    1. Re:MitM by Anonymous Coward · · Score: 0

      had to look it up. This is an app in the app that uses swiping 'technology'. Wow - great. Why would I be surprised that anything associated with this psychopath Zuckerberg has consequences for my privacy?

    2. Re:MitM by Anonymous Coward · · Score: 0

      Would a man-in-the-middle attack on Tinder amount to a 3-way?

      I prefer to think of it as a woman-in-the-middle consensual spit roast. But yes.

    3. Re: MitM by Anonymous Coward · · Score: 0

      Mod parent urban funny!

    4. Re:MitM by Anonymous Coward · · Score: 0

      I wouldn't want to be the man in the middle of that :D

  2. Not a MitM attack by Afty0r · · Score: 1

    In my mind, that's creating a fake profile, and pretending to be someone else. In my opinion, a specious use of the phrase "Man in the Middle" because at no point has party A or party C confirmed their identities.

    1. Re:Not a MitM attack by SeattleLawGuy · · Score: 1

      In my mind, that's creating a fake profile, and pretending to be someone else. In my opinion, a specious use of the phrase "Man in the Middle" because at no point has party A or party C confirmed their identities.

      They have confirmed their identity against a fake Facebook account. Technically it is a man-in-the-middle attack, it's just so primitive it looks like cheating.

      Kind of like when you write code to implement TCP over voice. (Basically re-inventing the modem, but slower and over an airgap!) Technically the two machines are networked with TCP, but it still feels like cheating.

      --
      Real lawyers write in C++
  3. Could be by Anonymous Coward · · Score: 0

    a false-flag operation.

    1. Re:Could be by Anonymous Coward · · Score: 0

      Every time I go out, I take my signaling flag collection with me. You know, singles in the city are like ships in the night. The flags, they do nothing!

  4. Let's be honest by Rik+Sweeney · · Score: 1

    The only thing we really want this exploit to do is to tell us who has already fancied us.

    --
    Summation 2
  5. remember the movie Sneakers? by Anonymous Coward · · Score: 0

    when tinder matches a super-model with a super-nerd you've gotta know something is up.

  6. Oh lawd by Anonymous Coward · · Score: 0

    >we can also change their reality

    *furious wanker gesture*

  7. Not in the US by DBCubix · · Score: 1

    He may be a researcher, but this study wouldn't pass any US IRB board as sanctioned research.

    --
    I called it a mighty Sperm Whale, she called it Finding Nemo.
  8. Usable acceptibility by Anonymous Coward · · Score: 0

    Then it's our fault for being such lazy, attention span deprived retards that we can't take more time to utilize something secure. People in our society are digging their own graves, I hope all that shoveling gets more tiresome than assuming a few minutes of personal responsibility at some point.

  9. Clickbait-ery by Zanadou · · Score: 1

    The attack can easily be extended to SMS, Whatsapp, iMessage and voice.

    So... you're claiming Tinder first just to get clickbait... right?

    1. Re:Clickbait-ery by Anonymous Coward · · Score: 0

      They use their Tinder MITM position to replace phone numbers with their own and further the MITM position on other mediums.

  10. MITM? by sexconker · · Score: 1

    That's more of a Grinder thing, isn't it?

  11. MitM by Anonymous Coward · · Score: 0

    But in that case, you have to begin the conversation. There is no way to perform this kind of an attack on the existing conversations, which are the sweet target. It requires you not only to be the attacker, but also the guy who desperately tries to get these two people together.

    Too much work, not enough elegance.