News

TinderDrift vulnerability lets others spy on your Tinder swipes

Researchers discovered two vulnerabilities that, if combined, can enable the attacker to spy on Tinder moves of the victim.

In 2018 any of your assumption regarding a sensitive app thoroughly encrypting the connection made from your mobile to the cloud is a thought worth laughing.

Even if a stranger who is drinking his coffee while sitting at two tables away – can capture your secrets via the local WiFi. Yes, this is how dangerous the current digital world has become. You can’t even detect spies online without banging the head in your device screen for hours.

You might have freaked a bit. But trust me, you shouldn’t. It is all normal these days, whereas, you must take precautions.

Sure thing, it is possible even for internet dating services claiming stealthy security for the users.

TinderDrift vulnerability lets others spy Tinder swipes
Both of the Tinder apps, Android and iOS, still lack the basic encryption.

Either way, if you thought you’d have complete privacy protection on the top dating platform Tinder – let me tell you that you have entirely false hopes.

Recently a company found out that Tinder lacks on the standard encryption. Which means, your photos, swipes, and matches aren’t safe from digital snooping eyes.

On Tuesday, 23rd of January 2017,  researchers from Tel Aviv backed firm Checkmarx (a known app security company) proved that Tinder lacks the necessary “https” encryption for images.

More precisely, researchers found that if you are on the very same Wi-Fi network with other Tinder users (either on Android or iOS) – you can see what images the other user has taken.

Even more fascinating is the fact that, you can also insert any of your photos you want on their personal pictures stream.

Even if some of the data from the app is https-encrypted, the security company found out that Tinder leaks plenty of data – enough to rip apart the commands.

An excellent opportunity for a hacker who is on the very same network that could watch the process of swiping; and, he can even match for the target. Which is similar to watching a user over the shoulder, isn’t it?

Security specialists affirmed that this surprising lack of protection could lead to many issues for the Tinder users, such as blackmail schemes and voyeuristic nosiness.

One of the experts Erez Yalon, manager of app security research affirmed:

“We can simulate exactly what the user sees on his her screen.” He further added,  “You know everything: What they’re doing, what their sexual preferences are, a lot of information.”

TinderDrift demonstrates the lack of encryption in Tinder

Checkmarx created a software (kind of proof-of-concept), called TinderDrift. They tested it on a laptop connected to a WiFi network where other Tinder users were active too.

The program began remaking the whole session of other users automatically.

So, in this way, they outlined how TinderDrift has exploited Tinder’s absence of the HTTPS encryption.

On the other hand, the app sends photos from mobile phones to the unprotected HTTP – which makes them very easy to get found on the same network.

The findings do not stop here; amazing researchers at Checkmarx had some other things on their hands too – to make sure they pull all the information out from the data Tinder says is encrypted.

Tinder Events

Researchers discovered that unique events in Tinder could make distinctive patterns of the bytes. Interestingly, they were noticeable even on the encrypted form.

As an example, the Tinder can make 278 bytes only for swipe left for possible rejections. While swiping right, the pattern makes 374 bytes – and subsequently, for a match, it can reach 581.

TinderDrift, the Tinder’s discovered vulnerability, can intercept photos and can stamp them as rejected, approved or even matched. Amazingly everything is done in the real time.

It basically is only a simple combination of 2 vulnerabilities which drive a huge privacy issue.

Yalon also affirmed that for now, this technique couldn’t expose any messages sent by the Tinder users to each other (of course, once they match back to each other).

I’d say it is one good news for you if you are on Tinder, at least for now.

Tinder knows about the TinderDrift vulnerability

A representative from Checkmarx said they informed Tinder regarding these Tinder privacy issues back in November 2017, already.

But, the widely-used dating app hasn’t started filling in the privacy holes yet.

As a fix to these vulnerabilities, Tinder should “pad” other commands within its app alongside encrypting the photos – Checkmarx suggested to the dating platform.

All in all, Tinder needs to make each command appear as the very same size so that when amid at a random data stream they should be indecipherable.

What can I do to keep myself safe from TinderDrift?

As stated above, the company still has to take steps for fixing the vulnerability in question.

And it hasn’t taken any steps out of the suggestions noted above; which means, all of the Tindering you would do over public WiFi – is going to be public too (precisely as like public WiFi in use).

So until the online dating giant does not fix it, you should consider using Tinder only on your very own Internet connection – and not a public/shared WiFi, at any cost.

Ali Qamar
the authorAli Qamar
Editor
Ali is an Internet security and tech enthusiast who enjoys "deep" research to dig out modern discoveries in the tech and security industry. Before turning to tech and security, he worked in marketing and management sector. He is passionate about sharing the knowledge with people and always try to give only the best.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.