Researchers uncover vulnerabilities in dating apps Tinder and Bumble

25 Oct 2017

Swiping through Tinder on mobile. Image: Alex Ruhl/Shutterstock

Security researchers find troubling details about dating app security.

Online dating apps are ubiquitous, with millions of people using them to find love or play the field. However, it turns out that there are more dangers inherent than your date looking different to their profile photograph.

Security researchers at Kaspersky Lab have uncovered numerous exploits in apps such as Bumble, OKCupid and Tinder.

They found that they could access users’ real names, location data, login info, profile views and even their message history.

Nine mobile dating apps were looked at in total, and researchers found that attackers don’t even need to access the app servers as the apps themselves have minimal HTTPS encryption.

Location tracking

In terms of location tracking, researchers fed apps false coordinates and measured changing distances from users. Tinder, Happn and four other apps were vulnerable to this.

Researchers also made the point that simply using the information that people make visible on the apps by choice can lead to invasions of privacy – for example, using employment or education information to narrow down someone’s identity on a less secure social media site.

Unencrypted HTTP

Tinder, Bumble and Paktor for Android as well as Badoo for iOS all upload photographs via unencrypted HTTP. This was then used by researchers to see which profiles users viewed and who they clicked on.

In terms of the exploits, one in particular could be quite damaging for Android users: using an app to root a device, Android users can gain superuser rights, allowing them to perform the Android version of jailbreaking.

The Tinder app enables Facebook login by default, and researchers were able to find the authentication token for a Tinder account’s linked Facebook profile, gaining full access. Bumble, OK Cupid, Badoo, Happn and Paktor were all vulnerable to similar attacks and hackers could also potentially view app messages using the superuser rights.

Details of the exploits have been sent to all relevant developers.

Safe swiping

Researchers offered these tips for those who still feel like swiping right: “First, our universal advice is to avoid public Wi-Fi access points (especially those that are not protected by a password), use a VPN and install a security solution on your smartphone that can detect malware.

“Secondly, do not specify your place of work, or any other information that could identify you.”

Although not all apps tested were vulnerable to all exploits, it would be wise to take care if you want your app activity to remain anonymous.

Swiping through Tinder on a mobile phone. Image: Alex Ruhl/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com