Security researchers have uncovered numerous exploits in popular dating apps like Tinder, Bumble, and OK Cupid. Using exploits ranging from simple to complex, researchers at the Moscow-based Kaspersky Lab say they could access users’ location data, their real names and login info, their message history, and even see which profiles they’ve viewed. As the researchers note, this makes users vulnerable to blackmail and stalking.
Roman Unuchek, Mikhail Kuzin, and Sergey Zelensky conducted research on the iOS and Android versions of nine mobile dating apps. To obtain the sensitive data, they found that hackers don’t need to actually infiltrate the dating app’s servers. Most apps have minimal HTTPS encryption, making it easy to access user data. Here’s the full list of apps the researchers studied.
Conspicuously absent are queer dating apps like Grindr or Scruff, which similarly include sensitive information like HIV status and sexual preferences.
The first exploit was the simplest: It’s easy to use the seemingly harmless information users reveal about themselves to find what they’ve hidden. Tinder, Happn, and Bumble were most vulnerable to this. With 60% accuracy, researchers say they could take the employment or education info in someone’s profile and match it to their other social media profiles. Whatever privacy built into dating apps is easily circumvented if users can be contacted via other, less secure social media sites, and it’s not difficult for some creep to register a dummy account just to message users somewhere else.
Next, the researchers found that several apps were susceptible to a location-tracking exploit. It’s very common for dating apps to have some sort of distance feature, showing how near or far you are from the person you’re chatting with—500 metres away, 2 miles away, etc. But the apps aren’t supposed to reveal a user’s actual location, or allow another user to narrow down where they might be. Researchers bypassed this by feeding the apps false coordinates and measuring the changing distances from users. Tinder, Mamba, Zoosk, Happn, WeChat, and Paktor were all vulnerable to this exploit, the researchers said.
The most complex exploits were the most staggering. Tinder, Paktor, and Bumble for Android, as well as the iOS version of Badoo, all upload photos via unencrypted HTTP. Researchers say they were able to use this to see what profiles users had viewed and which pictures they’d clicked. Similarly, they said the iOS version of Mamba “connects to the server using the HTTP protocol, without any encryption at all.” Researchers say they could extract user information, including login data, letting them log in and send messages.
The most damaging exploit threatens Android users specifically, although it seems to require physical access to a rooted device. Using free apps like KingoRoot, Android users can gain superuser rights, letting them perform the Android equivalent of jailbreaking. Researchers exploited this, using superuser access to find the Facebook authentication token for Tinder, and gained full access to the account. Facebook login is enabled in the app by default. Six apps—Tinder, Bumble, OK Cupid, Badoo, Happn and Paktor—were vulnerable to similar attacks and, because they store message history in the device, superusers could view messages.
The researchers say they have already sent their findings to the respective apps’ developers. That doesn’t make this any less worrisome, although the researchers explain your best bet is to a) never access a dating app via public Wi-Fi, b) install software that scans your phone for malware, and c) never specify your place of work or similar identifying information inside your dating profile. [SecureList]