According to the Checkmarx Security Research Team, the stalker-friendly vulns also allow an attacker to control the profile pictures that the user sees, swapping them for inappropriate content, rogue advertising or other types of malicious content.
“As Rockwell described in his famous song, if you always feel like someone’s watching you, and you have no privacy – chances are, you might be right,” said Checkmarx researcher Dafna Zahger in an analysis.
Tinder allows users to swipe through dating profiles of people in their immediate vicinity: They swipe right for a profile they like, left if they lack interest and up if they “Super Like” someone. If someone likes them back, the next step is chat-messaging to set up a rendezvous. So far, the app has created more than 20 billion matches in 196 countries.
Aside from the potential ad fraud and malware delivery issues, the vulnerabilities, found in both the Android and iOS versions of the app, allow an attacker to stalk and blackmail the victim, threatening to expose highly private information from the user’s Tinder profile and actions in the app.
The situation brings up the question of how complacent have we become when it comes to online privacy.
“Knowing an ill-disposed attacker can view and document your every move on Tinder, who you like, or who you decide to chat with is definitely disturbing,” said Zahger. “But is it enough to have you abandon the app altogether? Most apps nowadays seem to be vulnerable, so what’s the alternative? Where do we, as users, draw the line? Is it at the smallest compromise of our privacy, or do we shrug it off until sensitive data is stolen?”
Until all app developers implement comprehensive application security testing solutions, “we should probably still be cautious and mindful,” she added. “This means avoiding public networks as much as possible, using HTTPS over HTTP and generally being aware of what might be happening over our virtual shoulder.”
Checkmarx said that it has disclosed the vulnerabilities to Tinder.