Tinder security flaw could have let hackers access accounts using just a phone number
Tinder accounts were almost swiped right into the hands of hackers after researchers found they were able to login to user accounts using just a phone number.
While the vulnerability is now fixed, it’s obviously worrying that chat history and photos could have been exposed.
The vulnerability, which was down to a mix of two things: Tinder, and Tinder’s use of Facebook’s Account Kit, could have given malicious hackers or sour exes access to accounts. How it should work is quite simple: when a user chooses to log in to the app using their phone number, they’ll be redirected to Facebook’s Account Kit. By texting a confirmation code to the user, who then types it into the Account Kit website, the Account Kit is able to authenticate and pass the access token to Tinder. That, however, is where the vulnerability occurs.
READ NEXT: Tinder Plus versus Tinder Gold
While the Tinder API should have been checking the client ID on Facebook’s Account Kit token, it wasn’t. This meant attackers could use a token from one of the numerous other apps which use Account Kit, to gain entry to their account.
The vulnerability was discovered by AppSecure’s founder, Anand Prakash, who published a blog post detailing his findings. He cashed out with $5,000 from Facebook’s Bug Bounty programme and $1,250 from Tinder as a reward.
“The attacker basically has full control over the victim’s account now – he can read private chats, full personal information, swipe other user profiles left or right etc.” Prakash wrote.
Luckily, no accounts seem to have been broken into before the vulnerability was patched.
It hasn’t been a good month for Facebook. It’s already been having phone-authentication issues and earlier this week, the company admitted that the spammy SMS notifications it was sending to users was, in fact, a bug.