Tinder's Lack of Encryption Lets Strangers Spy on Your Swipes

Tinder's mobile apps still lack the standard encryption necessary to keep your photos, swipes, and matches hidden from snoops, a security firm reports. From Wired: On Tuesday, researchers at Tel Aviv-based app security firm Checkmarx demonstrated that Tinder still lacks basic HTTPS encryption for photos. Just by being on the same Wi-Fi network as any user of Tinder's iOS or Android app, the researchers could see any photo the user did, or even inject their own images into his or her photo stream. And while other data in Tinder's apps are HTTPS-encrypted, Checkmarx found that they still leaked enough information to tell encrypted commands apart, allowing a hacker on the same network to watch every swipe left, swipe right, or match on the target's phone nearly as easily as if they were looking over the target's shoulder. The researchers suggest that lack of protection could enable anything from simple voyeuristic nosiness to blackmail schemes.

who gives a shit

[pezpunk]

whoopty fuckin doo.

Re:who gives a shit

[jellomizer]

Being that is a popular app, there will be a lot of people using it.
There is a lot of taboos in our culture around dating and sexuality in general.
Realizing the perfectly normal seeming person has some sort of fetish, can often be used against them by making it public, making people feeling uncomfortable, or being a reason to separate them from a particular job, group. Or causing divorces and other things, from a moment of curiosity or bad judgement.

These types of services really should take privacy seriously. As breaches can ruin peoples lives.

Re:who gives a shit

[110010001000]

If you are using the Internet you aren't taking privacy seriously. The Internet is not private. It is a network and that is the antithesis of privacy.

Re: who gives a shit

I don't think perverts care much about tech security. They just care about getting their rocks off.

Re:who gives a shit

whoopty fuckin doo.

You know, I'm a grumpy old man who doesn't use apps, and even I know what Tinder is.

If a company was valued at $3 billion in August, and they're not using https and the like ... the CEO and the developers are all incompetent, lazy idiots who are pretty much running a global company as if they're clueless idiots straight out of school. The equivalent of castration doesn't seem like too much for a company who can't do basic security .. certainly not one worth that much.

Sorry, but the more your company is worth, the less you get to have any excuses for shit security.

But the new app economy apparently means useless morons who appeal to idiots with shiny baubles can be incompetent at running a multi-billion dollar entity.

This is just yet another reason why I distrust apps and have no interest in them. Because the greed goes in before the quality does, and marketing people don't give a fuck about your privacy or security. And unfortunately as they become rich not having shitty software never seems to become a priority.

Asshole silicon valley millionaires, selling snake oil and dog shit.

Re:who gives a shit

HTTPS only makes it harder for an MitM (ISP) to listen in and if the ISP is malicious they can repacket your connection.
It isn't sufficient for Tinder to switch to HTTPS. It is also necessary that the end user knows that it is supposed to be HTTPS and that the certificate shouldn't be self-signed.

HTTPS also won't hide what server you are connecting to so if the culture is averse to dating and sexuality then you are screwed either way.

The fetish thing can be a concern, but I would say it is pretty insignificant compared to not being able to trust your ISP.
If your ISP is malicious then you are screwed.
Even if you manage to set up a secure link by sharing certificates through sneakernet or whatever that will only hide your data. The ISP will still see that you connect to Tinder.
You can use Tor, but if you are the ISP then you can block and delay packets as you see fit until you have mapped the traffic.

Or causing divorces and other things

It you being on Tinder leads to a divorce then it is pretty clear that you didn't talk it through with your spouse beforehand and that you cheated on him/her.
If that is the case then you got what you had coming for you. Be glad it didn't turn into a double murder.

Re:who gives a shit

That's my assessment as well.

It's worth bringing up I guess, if you live in a country where being a different sexual orientation is a capital offence.

Re:who gives a shit

[ctilsie242]

There is also the opportunity for blackmail. A few choice photos that were "leaked" can ruin someone's career, or in some countries, have them executed.

I thought other places would have learned a lesson in protecting their users after the Ashley Madison breach, with the fallout that happened over that. However, guess not.

Time to swipe left on that service until they actually put some value into their internal security.

Re:who gives a shit

[jellomizer]

If you are using an App you may not have such visability even if you are doing a website, other then us tech guys who will dig down into the HTML and see the Pictures are not encrypted?

This argument is like that Microsoft did in the late 1990's to push Active X over Java. While the JavaApplet avoid writing and reading directly to your disk, limiting its functionality. This wasn't the factor in Active X. However the app would pop up an alert stating that this could be dangerous, figuring that the average person would be smart enough to avoid running the active X control from an outside site that isn't trustworthy. That wasn't the case. And in the early 2000's Microsoft got hit with a battery of hacks and spyware because of this.
The average person if trying to get something (A Video, play a game, see content) will click the link and accept the warnings to see such information. The real responsibility lies into the vendor releasing the products. Because people will be stupid, even the best of us, may have lapse in best security practices from time to time. That one Email that really looked legit where you clicked the link, a mistype in an URL bringing you to a phishing site...

Re: who gives a shit

[jellomizer]

The issue is these people may not actually be perverts, but just looking for romance.

Re:who gives a shit

Time to swipe left on that service until they actually put some value into their internal security.

How much to people pay Tinder to be a member?

Because, if it's free, then they don't give a fuck about your security, they care about their profits. At the very least, they rushed it out the door and it's badly written and insecure and they'll never bother to fix it.

Me, I just assume all apps are created by incompetent greedy assholes who are only interested in their own bottom line and have a business model which amounts to collecting and selling your personal information.

My app policy is that most of the companies who make apps can pucker up and kiss my ass because I don't plan on using them anyway.

Re:who gives a shit

[Oswald+McWeany]

If you are using the Internet you aren't taking privacy seriously.

That's why I never use the internet. I especially don't use it to post comments to a forum where anyone else might see my opinions on things.

Re:who gives a shit

[110010001000]

I agree 100%. Only idiots use the Internet.

Re:who gives a shit

[110010001000]

If you are using closed source software you REALLY shouldn't be concerned about privacy, because the software could literally be doing anything.

Re:who gives a shit

There's fucking videos of me getting pegged on the internet. I'm so far past giving a shit that I can't even remember what it felt like.

Re:who gives a shit

Links please!

Re: who gives a shit

[Zero__Kelvin]

So unless someone is using Open Source with no internet connection (see also earlier post in this thread from this doofus) then they aren't serious about privacy? I was so sure banks were serious about their privacy too.

Re:who gives a shit

Masterfully crafted.

Re:who gives a shit

You're saying that as if the real world is so much better. I live in a moderately big city, but literally every time I meet some girl, the next time I meet up with my friends at least one of them says that an acquaintance told him (or more usually, her) he saw me with a strange girl the other night.

Half of that is obvious

[EndlessNameless]

Checkmarx found that they still leaked enough information to tell encrypted commands apart, allowing a hacker on the same network to watch every swipe left, swipe right, or match on the target's phone nearly as easily as if they were looking over the target's shoulder.

When different user actions result in widely different application behavior, it will always be easy to infer the user action. E.g., if matching is the only action that does not result in a new profile being presented, then observation of the smaller data exchange will lead to that inference.

The only way to avoid this is to make the network traffic identical for all cases, which is extremely wasteful of bandwidth and, presumably, battery life.

That said, encryption of all data should be standard now. There is some overhead, but it's not the 1990s---crypto is not that burdensome.

Re:Half of that is obvious

[zifn4b]

Using Tinder at Starbucks, not wise. Not setting up a guest WIFI network at your house, not wise. Leave your front door open and put a sign in the middle of it that says "Please come and steal all my shit", not wise.

I would actually love to see the United States devolve back to 19th Century homestead life just to watch Millennials be completely clueless about how to survive. What are they going to do protect their homestead from bandits and brigands, have an academic discussion them with them about empathy and progressive idealism? No. You protect your shit, anticipating that someone is going to potentially trespass on your property as it's always been. That's your responsibility as an animal in nature. This is what survival of the fittest is all about. All these happy, feely, unicorn loving millennials would disappear as a result of natural selection in a generation or two if they had to really come face to face with the nature they've been insulated from by their helicopter parents.

When that grizzly bear is chasing you through the woods because it wants to eat you for dinner and you're trying to educate it about what a safe space is, let me know how that goes. Or rather, you won't be able to for obvious reasons.

Re:Half of that is obvious

When that grizzly bear is chasing you through the woods because it wants to eat you for dinner and you're trying to educate it about what a safe space is, let me know how that goes. Or rather, you won't be able to for obvious reasons.

You really ought to have put a trigger warning on your post to avoid microaggressions. Someone could have been mildly offended at what you wrote, or been inflicted with PTSD!

Re:Half of that is obvious

Oh shut the fuck up Granddad and get back to your nursing home already. Herp derp lets all go live on a homestead like its 1865. Guess what asshole, you'll probably die from something like typhoid or some crap.

When that grizzly bear is chasing you through the woods because it wants to eat you for dinner

Oh shut the fuck up, bears in general do not eat humans at all. Sure if you go and fuck with her cubs, you might have problems. Though why were you fucking with a grizzly bear to begin with?

Re:Half of that is obvious

[zifn4b]

You really ought to have put a trigger warning on your post to avoid microaggressions. Someone could have been mildly offended at what you wrote, or been inflicted with PTSD!

I know man. Nature and reality are so offensive. Life should come with warning labels too. It might offend someone. Seriously, there has got to be someone to complain to about how unfair reality and nature is. Whoever created this place is so not cool because it wasn't made special to suit all my personal preferences and I am soooo special, Mommy and Daddy told me so. eyeroll

Re:Half of that is obvious

[lucasnate1]

Why do people miss violence and murder?

better:

[supernova87a]

Maybe if you've got a stalker watching who you swipe on Tinder, you should ask him/her out on a date instead? Problem solved.

Re:better:

Not solved at all! What if it was just an AI stalking you?

Re:better:

Not solved at all! What if it was just an AI stalking you?

This kind of disgusting discrimination against AI is why we can't have nice things.

Re:better:

[zlives]

if its an AI and not some bullshit database pretending to be intelligent then yeah no worries i would swipe right.

Re:better:

t. ai

Security???? Tinder users????

[140Mandak262Jamuna]

Come on, these people are hooking up strangers, and they will be concerned about security?

Re:Security???? Tinder users????

Did you miss the blackmail part? I'm guessing the strangers part is fine unless you are MARRIED and hooking up with strangers. Then you can blackmail.

While this may not be advisable, you certainly could set up shop on some known WiFi networks or even spear-phish super high end targets. I'm guessing there are high-value areas like certain parts of Washington DC, NYC, LA, etc.

Re:Security???? Tinder users????

[Shotgun]

"High value" targets would have no need for Tinder, and a much easier way to catch them would be to post a desirable profile then get anywhere within a mile of them.

If I were a PO at Tinder, I would not spend one minute on "fixing" this "problem", because it isn't one. The target has no value, and anything discoverable is already in the public domain.

inform4tive 3umcum

she 4ad no fear Risk lookTing even

Default?

These seems like some really shoddy and/or lazy development. More than this particular issue it makes you wonder what other shortcuts or sloppy development they have hiding in their app?

Newsflash!

[zifn4b]

Social media makes your personal information public! Film at 11! Another amazingly, intellectual stimulating contribution by msmash! It's a HOOK UP app for one night stands for crying out loud!

Re:Newsflash!

The fact that it is a hookup app is exactly why (lack of) security is important. Also, this isn't "social media". People using the app DO expect some level of privacy. Why do people throw the "social media" term around when talking about any app that allows you to interact with another person. Skype is not "social media". Texting your friend a photo is not "social media". Texting random people through an app is not "social media" except for limited situations that really don't fit the true purpose of the app (i.e. a power user trying to make a statement or market herself as a literal whore).

Remember, CEOs, politicians, religious leaders, etc. are all actually pretty regular people that use this stuff. The situations range from embarrassing i.e. your one night stand being plastered around the news to being caught in an affair or worse.

You may be able to demonize some of the potential victims but I don't think anyone would enjoy having their intimate dating log spied on and potentially released publicly with a "proof or truth" record to corroborate the "gossip" even if it is 100% innocent. Imagine some single Hollywood star having their actions published. Not good.

Jokes on them...

What could they possibly learn from the fact that I swipe right on everyone, other than I'm incredibly lonely?

Y'all are missing the big opportunity

[Baron_Yam]

Imagine a 'mess with Tinder' app that sits on your phone, and allows you to inject images of your choice into the stream of anyone using the same local connection.

Re:Y'all are missing the big opportunity

[HeckRuler]

It'd be kinda funny if all tinder profiles in a coffee shop were suddenly pictures of the barista.

Re:Y'all are missing the big opportunity

[Baron_Yam]

You've made me think of something MORE evil - hijacking Tinder to sell coffee.

What if every other profile served up on your phone was a menu item???

Re:Y'all are missing the big opportunity

It'd be kinda funny if all tinder profiles in a coffee shop were suddenly pictures of the barista.

Nah go with "lemon party", the reaction is guaranteed.

Re:Half of that is obvious FTFY

I would actually love to see the United States evolve forward to 22nd Century homestead life just to watch Assholes be completely clueless about how to survive.

What risk?

[AlanObject]

I don't get it.

To be usable the Tinder app requires you to post pictures of yourself, presumably looking as attractive as possible in some way, and a come-on line and a few personal details such as what gender you are and what gender you are looking for. Anybody can view all that.

So after exposing all that what you swipe on is supposed to be a "risk" of some kind? Seems to me that ship already sailed.

Re:What risk?

[andydread]

My thoughts exactly. Blackmail? really? Maybe if the person is married they can be blackmailed but the chance is greater that their wife/husband's friend is on Tinder and spots them and just rats them out.

Two Possibilities

[ImprovOmega]

Possibility #1: You care about privacy. If you actually care about privacy you are already routing all of your internet traffic through a no-logging VPN paid for through an anonymous crypto-currency wallet. Result: this problem doesn't affect you because all your traffic to the VPN provider is encrypted anyway.

Possibility #2: You don't care about privacy. Result: this also doesn't affect you because you don't care anyway.

Conclusion: non-issue.

cheating

I was recommended to this professional hacker, He helped me to expose all my partner’s secret that kept my marriage intact, who he was cheating with and allHe has video proofs, Contact him on: dloxvichackskool @ g m a i l . com contact phone : +1 6 1 9 6 3 2 5 9 2 6 his services include hacking (hint: mobile phones, Instagram, Facebook, gmail,twitter, whatsapp, kik, bank account, iphones, MeetMe, Snapchat, WeChat, hike etc.), tracking, cloning ,upgrading result,preventing you from been hacked or tracked,Adding any important account to your account without account owner knowing he can also help you to spy on your spouse so that you'll know whether he or she is cheating. he can also teach hacking at a very affordable price.

Security breach!!

[hoggoth]

This random stranger is able to see me trying to hook up with random strangers! This security vulnerability leaves me open to being seen by a total stranger, but not necessarily one of the ones I want to be seen by, as far as I know, since they are all strangers.

Tinder??

I thought it was "Timber", the dating app for lumberjacks!

"I'm a lumberjack and I'm OK, I work all night and I sleep all day!"