Slashdot Mirror
Tinder's Lack of Encryption Lets Strangers Spy on Your Swipes (wired.com)
Tinder's mobile apps still lack the standard encryption necessary to keep your photos, swipes, and matches hidden from snoops, a security firm reports. From Wired: On Tuesday, researchers at Tel Aviv-based app security firm Checkmarx demonstrated that Tinder still lacks basic HTTPS encryption for photos. Just by being on the same Wi-Fi network as any user of Tinder's iOS or Android app, the researchers could see any photo the user did, or even inject their own images into his or her photo stream. And while other data in Tinder's apps are HTTPS-encrypted, Checkmarx found that they still leaked enough information to tell encrypted commands apart, allowing a hacker on the same network to watch every swipe left, swipe right, or match on the target's phone nearly as easily as if they were looking over the target's shoulder. The researchers suggest that lack of protection could enable anything from simple voyeuristic nosiness to blackmail schemes.
Checkmarx found that they still leaked enough information to tell encrypted commands apart, allowing a hacker on the same network to watch every swipe left, swipe right, or match on the target's phone nearly as easily as if they were looking over the target's shoulder.
When different user actions result in widely different application behavior, it will always be easy to infer the user action. E.g., if matching is the only action that does not result in a new profile being presented, then observation of the smaller data exchange will lead to that inference.
The only way to avoid this is to make the network traffic identical for all cases, which is extremely wasteful of bandwidth and, presumably, battery life.
That said, encryption of all data should be standard now. There is some overhead, but it's not the 1990s---crypto is not that burdensome.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
Being that is a popular app, there will be a lot of people using it.
There is a lot of taboos in our culture around dating and sexuality in general.
Realizing the perfectly normal seeming person has some sort of fetish, can often be used against them by making it public, making people feeling uncomfortable, or being a reason to separate them from a particular job, group. Or causing divorces and other things, from a moment of curiosity or bad judgement.
These types of services really should take privacy seriously. As breaches can ruin peoples lives.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Maybe if you've got a stalker watching who you swipe on Tinder, you should ask him/her out on a date instead? Problem solved.
If you are using the Internet you aren't taking privacy seriously. The Internet is not private. It is a network and that is the antithesis of privacy.
I don't think perverts care much about tech security. They just care about getting their rocks off.
You know, I'm a grumpy old man who doesn't use apps, and even I know what Tinder is.
If a company was valued at $3 billion in August, and they're not using https and the like ... the CEO and the developers are all incompetent, lazy idiots who are pretty much running a global company as if they're clueless idiots straight out of school. The equivalent of castration doesn't seem like too much for a company who can't do basic security .. certainly not one worth that much.
Sorry, but the more your company is worth, the less you get to have any excuses for shit security.
But the new app economy apparently means useless morons who appeal to idiots with shiny baubles can be incompetent at running a multi-billion dollar entity.
This is just yet another reason why I distrust apps and have no interest in them. Because the greed goes in before the quality does, and marketing people don't give a fuck about your privacy or security. And unfortunately as they become rich not having shitty software never seems to become a priority.
Asshole silicon valley millionaires, selling snake oil and dog shit.
Come on, these people are hooking up strangers, and they will be concerned about security?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
HTTPS only makes it harder for an MitM (ISP) to listen in and if the ISP is malicious they can repacket your connection.
It isn't sufficient for Tinder to switch to HTTPS. It is also necessary that the end user knows that it is supposed to be HTTPS and that the certificate shouldn't be self-signed.
HTTPS also won't hide what server you are connecting to so if the culture is averse to dating and sexuality then you are screwed either way.
The fetish thing can be a concern, but I would say it is pretty insignificant compared to not being able to trust your ISP.
If your ISP is malicious then you are screwed.
Even if you manage to set up a secure link by sharing certificates through sneakernet or whatever that will only hide your data. The ISP will still see that you connect to Tinder.
You can use Tor, but if you are the ISP then you can block and delay packets as you see fit until you have mapped the traffic.
Or causing divorces and other things
It you being on Tinder leads to a divorce then it is pretty clear that you didn't talk it through with your spouse beforehand and that you cheated on him/her.
If that is the case then you got what you had coming for you. Be glad it didn't turn into a double murder.
That's my assessment as well.
It's worth bringing up I guess, if you live in a country where being a different sexual orientation is a capital offence.
These seems like some really shoddy and/or lazy development. More than this particular issue it makes you wonder what other shortcuts or sloppy development they have hiding in their app?
There is also the opportunity for blackmail. A few choice photos that were "leaked" can ruin someone's career, or in some countries, have them executed.
I thought other places would have learned a lesson in protecting their users after the Ashley Madison breach, with the fallout that happened over that. However, guess not.
Time to swipe left on that service until they actually put some value into their internal security.
If you are using an App you may not have such visability even if you are doing a website, other then us tech guys who will dig down into the HTML and see the Pictures are not encrypted?
This argument is like that Microsoft did in the late 1990's to push Active X over Java. While the JavaApplet avoid writing and reading directly to your disk, limiting its functionality. This wasn't the factor in Active X. However the app would pop up an alert stating that this could be dangerous, figuring that the average person would be smart enough to avoid running the active X control from an outside site that isn't trustworthy. That wasn't the case. And in the early 2000's Microsoft got hit with a battery of hacks and spyware because of this.
The average person if trying to get something (A Video, play a game, see content) will click the link and accept the warnings to see such information. The real responsibility lies into the vendor releasing the products. Because people will be stupid, even the best of us, may have lapse in best security practices from time to time. That one Email that really looked legit where you clicked the link, a mistype in an URL bringing you to a phishing site...
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
The issue is these people may not actually be perverts, but just looking for romance.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
How much to people pay Tinder to be a member?
Because, if it's free, then they don't give a fuck about your security, they care about their profits. At the very least, they rushed it out the door and it's badly written and insecure and they'll never bother to fix it.
Me, I just assume all apps are created by incompetent greedy assholes who are only interested in their own bottom line and have a business model which amounts to collecting and selling your personal information.
My app policy is that most of the companies who make apps can pucker up and kiss my ass because I don't plan on using them anyway.
If you are using the Internet you aren't taking privacy seriously.
That's why I never use the internet. I especially don't use it to post comments to a forum where anyone else might see my opinions on things.
"That's the way to do it" - Punch
I agree 100%. Only idiots use the Internet.
If you are using closed source software you REALLY shouldn't be concerned about privacy, because the software could literally be doing anything.
Social media makes your personal information public! Film at 11! Another amazingly, intellectual stimulating contribution by msmash! It's a HOOK UP app for one night stands for crying out loud!
We'll make great pets
There's fucking videos of me getting pegged on the internet. I'm so far past giving a shit that I can't even remember what it felt like.
Links please!
What could they possibly learn from the fact that I swipe right on everyone, other than I'm incredibly lonely?
Imagine a 'mess with Tinder' app that sits on your phone, and allows you to inject images of your choice into the stream of anyone using the same local connection.
I would actually love to see the United States evolve forward to 22nd Century homestead life just to watch Assholes be completely clueless about how to survive.
I don't get it.
To be usable the Tinder app requires you to post pictures of yourself, presumably looking as attractive as possible in some way, and a come-on line and a few personal details such as what gender you are and what gender you are looking for. Anybody can view all that.
So after exposing all that what you swipe on is supposed to be a "risk" of some kind? Seems to me that ship already sailed.
So unless someone is using Open Source with no internet connection (see also earlier post in this thread from this doofus) then they aren't serious about privacy? I was so sure banks were serious about their privacy too.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Masterfully crafted.
Possibility #1: You care about privacy. If you actually care about privacy you are already routing all of your internet traffic through a no-logging VPN paid for through an anonymous crypto-currency wallet. Result: this problem doesn't affect you because all your traffic to the VPN provider is encrypted anyway.
Possibility #2: You don't care about privacy. Result: this also doesn't affect you because you don't care anyway.
Conclusion: non-issue.
I was recommended to this professional hacker, He helped me to expose all my partner’s secret that kept my marriage intact, who he was cheating with and allHe has video proofs, Contact him on: dloxvichackskool @ g m a i l . com contact phone : +1 6 1 9 6 3 2 5 9 2 6 his services include hacking (hint: mobile phones, Instagram, Facebook, gmail,twitter, whatsapp, kik, bank account, iphones, MeetMe, Snapchat, WeChat, hike etc.), tracking, cloning ,upgrading result,preventing you from been hacked or tracked,Adding any important account to your account without account owner knowing he can also help you to spy on your spouse so that you'll know whether he or she is cheating. he can also teach hacking at a very affordable price.
This random stranger is able to see me trying to hook up with random strangers! This security vulnerability leaves me open to being seen by a total stranger, but not necessarily one of the ones I want to be seen by, as far as I know, since they are all strangers.
- For the complete works of Shakespeare: cat
You're saying that as if the real world is so much better. I live in a moderately big city, but literally every time I meet some girl, the next time I meet up with my friends at least one of them says that an acquaintance told him (or more usually, her) he saw me with a strange girl the other night.
I thought it was "Timber", the dating app for lumberjacks!
"I'm a lumberjack and I'm OK, I work all night and I sleep all day!"