Tinder's Lack of Encryption Lets Strangers Spy on Your Swipes

Tinder's mobile apps still lack the standard encryption necessary to keep your photos, swipes, and matches hidden from snoops, a security firm reports. From Wired: On Tuesday, researchers at Tel Aviv-based app security firm Checkmarx demonstrated that Tinder still lacks basic HTTPS encryption for photos. Just by being on the same Wi-Fi network as any user of Tinder's iOS or Android app, the researchers could see any photo the user did, or even inject their own images into his or her photo stream. And while other data in Tinder's apps are HTTPS-encrypted, Checkmarx found that they still leaked enough information to tell encrypted commands apart, allowing a hacker on the same network to watch every swipe left, swipe right, or match on the target's phone nearly as easily as if they were looking over the target's shoulder. The researchers suggest that lack of protection could enable anything from simple voyeuristic nosiness to blackmail schemes.

Half of that is obvious

[EndlessNameless]

Checkmarx found that they still leaked enough information to tell encrypted commands apart, allowing a hacker on the same network to watch every swipe left, swipe right, or match on the target's phone nearly as easily as if they were looking over the target's shoulder.

When different user actions result in widely different application behavior, it will always be easy to infer the user action. E.g., if matching is the only action that does not result in a new profile being presented, then observation of the smaller data exchange will lead to that inference.

The only way to avoid this is to make the network traffic identical for all cases, which is extremely wasteful of bandwidth and, presumably, battery life.

That said, encryption of all data should be standard now. There is some overhead, but it's not the 1990s---crypto is not that burdensome.

Re:Half of that is obvious

[zifn4b]

Using Tinder at Starbucks, not wise. Not setting up a guest WIFI network at your house, not wise. Leave your front door open and put a sign in the middle of it that says "Please come and steal all my shit", not wise.

I would actually love to see the United States devolve back to 19th Century homestead life just to watch Millennials be completely clueless about how to survive. What are they going to do protect their homestead from bandits and brigands, have an academic discussion them with them about empathy and progressive idealism? No. You protect your shit, anticipating that someone is going to potentially trespass on your property as it's always been. That's your responsibility as an animal in nature. This is what survival of the fittest is all about. All these happy, feely, unicorn loving millennials would disappear as a result of natural selection in a generation or two if they had to really come face to face with the nature they've been insulated from by their helicopter parents.

When that grizzly bear is chasing you through the woods because it wants to eat you for dinner and you're trying to educate it about what a safe space is, let me know how that goes. Or rather, you won't be able to for obvious reasons.

Re:Half of that is obvious

[zifn4b]

You really ought to have put a trigger warning on your post to avoid microaggressions. Someone could have been mildly offended at what you wrote, or been inflicted with PTSD!

I know man. Nature and reality are so offensive. Life should come with warning labels too. It might offend someone. Seriously, there has got to be someone to complain to about how unfair reality and nature is. Whoever created this place is so not cool because it wasn't made special to suit all my personal preferences and I am soooo special, Mommy and Daddy told me so. eyeroll

Re:Half of that is obvious

[lucasnate1]

Why do people miss violence and murder?

Re:who gives a shit

[jellomizer]

Being that is a popular app, there will be a lot of people using it.
There is a lot of taboos in our culture around dating and sexuality in general.
Realizing the perfectly normal seeming person has some sort of fetish, can often be used against them by making it public, making people feeling uncomfortable, or being a reason to separate them from a particular job, group. Or causing divorces and other things, from a moment of curiosity or bad judgement.

These types of services really should take privacy seriously. As breaches can ruin peoples lives.

better:

[supernova87a]

Maybe if you've got a stalker watching who you swipe on Tinder, you should ask him/her out on a date instead? Problem solved.

Re:better:

[zlives]

if its an AI and not some bullshit database pretending to be intelligent then yeah no worries i would swipe right.

Security???? Tinder users????

[140Mandak262Jamuna]

Come on, these people are hooking up strangers, and they will be concerned about security?

Re:Security???? Tinder users????

[Shotgun]

"High value" targets would have no need for Tinder, and a much easier way to catch them would be to post a desirable profile then get anywhere within a mile of them.

If I were a PO at Tinder, I would not spend one minute on "fixing" this "problem", because it isn't one. The target has no value, and anything discoverable is already in the public domain.

Default?

These seems like some really shoddy and/or lazy development. More than this particular issue it makes you wonder what other shortcuts or sloppy development they have hiding in their app?

Re:who gives a shit

[ctilsie242]

There is also the opportunity for blackmail. A few choice photos that were "leaked" can ruin someone's career, or in some countries, have them executed.

I thought other places would have learned a lesson in protecting their users after the Ashley Madison breach, with the fallout that happened over that. However, guess not.

Time to swipe left on that service until they actually put some value into their internal security.

Re:who gives a shit

[jellomizer]

If you are using an App you may not have such visability even if you are doing a website, other then us tech guys who will dig down into the HTML and see the Pictures are not encrypted?

This argument is like that Microsoft did in the late 1990's to push Active X over Java. While the JavaApplet avoid writing and reading directly to your disk, limiting its functionality. This wasn't the factor in Active X. However the app would pop up an alert stating that this could be dangerous, figuring that the average person would be smart enough to avoid running the active X control from an outside site that isn't trustworthy. That wasn't the case. And in the early 2000's Microsoft got hit with a battery of hacks and spyware because of this.
The average person if trying to get something (A Video, play a game, see content) will click the link and accept the warnings to see such information. The real responsibility lies into the vendor releasing the products. Because people will be stupid, even the best of us, may have lapse in best security practices from time to time. That one Email that really looked legit where you clicked the link, a mistype in an URL bringing you to a phishing site...

Re: who gives a shit

[jellomizer]

The issue is these people may not actually be perverts, but just looking for romance.

Re:who gives a shit

[Oswald+McWeany]

If you are using the Internet you aren't taking privacy seriously.

That's why I never use the internet. I especially don't use it to post comments to a forum where anyone else might see my opinions on things.

Re:who gives a shit

[110010001000]

I agree 100%. Only idiots use the Internet.

Re:who gives a shit

[110010001000]

If you are using closed source software you REALLY shouldn't be concerned about privacy, because the software could literally be doing anything.

Y'all are missing the big opportunity

[Baron_Yam]

Imagine a 'mess with Tinder' app that sits on your phone, and allows you to inject images of your choice into the stream of anyone using the same local connection.

Re:Y'all are missing the big opportunity

[HeckRuler]

It'd be kinda funny if all tinder profiles in a coffee shop were suddenly pictures of the barista.

Re:Y'all are missing the big opportunity

[Baron_Yam]

You've made me think of something MORE evil - hijacking Tinder to sell coffee.

What if every other profile served up on your phone was a menu item???

What risk?

[AlanObject]

I don't get it.

To be usable the Tinder app requires you to post pictures of yourself, presumably looking as attractive as possible in some way, and a come-on line and a few personal details such as what gender you are and what gender you are looking for. Anybody can view all that.

So after exposing all that what you swipe on is supposed to be a "risk" of some kind? Seems to me that ship already sailed.

Re:What risk?

[andydread]

My thoughts exactly. Blackmail? really? Maybe if the person is married they can be blackmailed but the chance is greater that their wife/husband's friend is on Tinder and spots them and just rats them out.

Re: who gives a shit

[Zero__Kelvin]

So unless someone is using Open Source with no internet connection (see also earlier post in this thread from this doofus) then they aren't serious about privacy? I was so sure banks were serious about their privacy too.

Two Possibilities

[ImprovOmega]

Possibility #1: You care about privacy. If you actually care about privacy you are already routing all of your internet traffic through a no-logging VPN paid for through an anonymous crypto-currency wallet. Result: this problem doesn't affect you because all your traffic to the VPN provider is encrypted anyway.

Possibility #2: You don't care about privacy. Result: this also doesn't affect you because you don't care anyway.

Conclusion: non-issue.

Security breach!!

[hoggoth]

This random stranger is able to see me trying to hook up with random strangers! This security vulnerability leaves me open to being seen by a total stranger, but not necessarily one of the ones I want to be seen by, as far as I know, since they are all strangers.