Most users trust, wait or simply understand that the information they handle in the applications they use day after day on their phone or computer is protected. He does not know what encryption is and how it works, but he assumes that the design of services prevents his data from being exposed. That would be desirable, but recurrently we run into problems. Today, with Tinder, one of the most popular dating applications.
Researchers from a security company specializing in applications, Checkmarx, says Tinder lacks basic HTTPS encryption for photos. This vulnerability along with others, detected in both the Android application and the iOS application, would allow an attacker connected to the same Wi-Fi that the victim could “monitor every user’s movement”. It could happen in coffee shops, libraries, airports, restaurants or anywhere with networks to which different people can connect.
‘Likes’, ‘matches’ and uncovered photos
According to the analysis, an attacker could view photographs climbing the victim, which is displayed to other users, inject fraudulent content flow profiles and find out what people are given like or how individuals have a match . These data, which do not compromise access credentials or have an immediate financial impact according to the signature, could serve to blackmail vulnerable victims.
In the video that researchers have shared can be seen a proof of what they say. They built a program called TinderDrift that runs on a portable computer connected to a wifi network shared with others and automatically simulates what would be any session of a Tinder user.
In the demonstration the Checkmarx specialists take advantage of the lack of HTTPS encryption when transmitting images to and from the phone to intercept them . This was the easiest thing, the rest of the data they could get, which are encrypted by Tinder, needed the combination of another vulnerability.
Specifically one that produces byte patterns, recognizable even when they are encrypted , depending on the events that occur, such as likes or dislikes . Uniting the capture of the photos with this problem gave the possibility of knowing the rest of the information. The messages, yes, are saved on this occasion. Although through other types of attacks in the past they could have been exposed .
The researchers make it clear that the disclosure of the two vulnerabilities has been carried out after duly informing Tinder’s security team and having conveniently followed the responsible disclosure process. In Speaking to Wired , a spokesman for Tinder said the HTTPS encryption for images does exist in the web version and are working to carry applications, implicitly recognizing the problem.