Based in silicon valley, california, security brief is a blog by chris louie. his posts discuss current information security affairs

Tinder's Lack of HTTPS Allows Strangers to Spy On Your Swipes

Tinder's Lack of HTTPS Allows Strangers to Spy On Your Swipes

tinder https.png

In 2018, it would normally be safe to assume that any application that transmits potentially sensitive information would be encrypted with HTTPS so that other users of public WiFi would not be able to intercept or modify the data.  However, this is not the case for the world's most popular dating app Tinder.  

Security researchers at Checkmarx discovered and demonstrated that Tinder still lacks HTTPS encryption for photos.  Simply being on the same network as any user of Tinder would allow an attacker to view or even modify the photos being transmitted to and from the device.  While some of the data on the Tinder app is encrypted when being transmitted, the encrypted data followed a predictable pattern.  For example, Tinder represents a swipe left to reject a potential date using 278 bytes of data. A swipe right (acceptance of a potential date) is represented as 374 bytes, and a match lands at 581 bytes of data. Combining the unencrypted photos with the predictable encrypted data stream will allow an attacker to recreate a Tinder user's exact activity on the application.  

While the dating preferences for most people would normally be only a personal matter, there are larger implications of potential blackmail such as the case when the Ashley Madison data leak was released.  Imagine capturing the Tinder data from a married person using the app or the dating preferences of a potential target for social engineering.

With the ease of encrypting everything with services like LetsEncrypt, there is no explainable reason for any major company to not encrypt everything with HTTPS.  

Tinder was notified of this vulnerability in November 2017, but as of the time of this writing, Tinder still transmits photo data over cleartext HTTP and does not pad the swipe left/right interactions to make them unidentifiable.  Until these changes are made, assume everyone else on the same network can see all of your Tinder interactions.

Using tunneling applications such as Zscaler App will help prevent snooping from other users on the same network.

Further reading:

https://www.wired.com/story/tinder-lack-of-encryption-lets-strangers-spy-on-swipes/

Do Not Use Facebook’s New Security Feature, Seriously

Do Not Use Facebook’s New Security Feature, Seriously

When IoT Can literally Kill You: Network-connected Pumps Vulnerable to Hacking

When IoT Can literally Kill You: Network-connected Pumps Vulnerable to Hacking