Researchers Find Account Takeover Flaw In Tinder
MobileNews February 26, 2018 Arianna Gael
Poor encryption blamed for access to user data.
Tinder’s geographically-based social networking “meet new people” model is responsible for introducing the concept of swiping right to society, but it’s also credited with a new problem: cybersecurity. Specifically it’s one of a growing number of apps and platforms whose encryption has left a lot to be desired. Only last month, experts found that poor encryption allowed anyone with the proximity and the skill set to spy on your “swipes” and access both messages and images.
Now, a researcher at Appsecure has discovered a security flaw that allowed him to completely takeover a Tinder account with just a phone number (a readily available piece of information that some social media users even list in their Facebook profiles). Anand Prakash discovered that Tinder’s vulnerability when combined with Facebook’s Auto Kit allowed him to actively takeover an account. Prakash reported both issues to the respective companies, and security patches have been issued, along with nominal discovery awards for his efforts.
Exploits exploited
There’s a double-edged sword of a conundrum associated with the widespread use of 21st century technology. On the one hand, as consumers we should be able to expect flawless encryption in our most basic messaging apps; after all, the tech behind it isn’t new and the modes of attack aren’t some unblockable super-hacking tool. They’re literally just exploits that knowledgeable people can take advantage of.
Another day, another breach
But at the same time, with the widespread evidence of cybersecurity weaknesses in front of us, and the daily news about data breaches and hacking events, why are people still so blindly trusting of their tech? Who would possibly place significant trust in an app or website when there are mountains of evidence to show they are not impenetrable?
Breach fatigue
A recognized condition known as data breach fatigue may be behind it. Consumers have become complacent about privacy, identity theft, and other PII-based issues. There may be a lingering sentiment that anyone who wants in will find a way, so don’t bother protecting yourself. It’s an understandable but still unacceptable attitude towards technology.