Tinder security flaw granted account access with just a phone number

Security researchers at Appsecure found a way to access anyone’s Tinder account via their phone number. The exploit took advantage of a software flaw in both the dating app’s login process as well as the Facebook API that it’s based on. The issues have been fixed since, but represent a pretty big security lapse.

“Both the vulnerabilities were fixed by Tinder and Facebook quickly,” wrote Appsecure’s Anand Prakash on Medium. Facebook and Tinder rewarded the company $5000 and $1250, respectively, for its report. This isn’t the first report of Tinder security flaws, either, like when the company failed to encrypt user photos and (back in 2014) exposed users’ exact locations for months.

When you login to Tinder, you have the option of using your phone number, which is then passed along to Facebook’s Account Kit for authentication to Tinder. The Appsecure folks found that they could get a valid access token with an API request to Facebook’s Account Kit using a phone number. In addition, Tinder’s login system wasn’t checking these access tokens to make sure they matched the associated user’s client ID, which means that any valid access token could let someone log in to your Tinder account.

Via: The Verge

Source: Appsecure

Source: Engadget - Read the full article here

Author: Daily Tech Whip

This article is part of our 'News Tiles' service. The site is currently in Beta. When it is fully operational you will be able to search through and arrange the 'Tiles' to display a keyword, product or technology over your chosen time period. For example you would be able to display all of the leading tech articles on the new Kindle Fire, in one spot in real time. You will also have access to our own original reporting and analysis as well as a polished place to post your own thoughts & reviews here, amongst the Daily Tech Whip Community. Please let us know if you have any feedback via the contact form or via Twitter. Don't forget to come back next week and see our full site and claim your name and your own free tech blog.

Share This Post On