Tinder Had a Bug That Let Hackers Take Over Your Account With a Phone Number

By Tom Pritchard on at

Last month it was reported that a flaw in Tinder's security could give complete strangers access to your matches and photos, and back in October is was one of many dating services that researchers hacked to reveal user photos and location data. Now there's a new bug that's been revealed, one that could have let hackers hijack your account with a phone number.

The good news is that Tinder has actually patched this bug out, so provided you keep the app updated you don't have anything to worry about. Still, it's pretty scary to think that someone could have taken over that easily.

According to a report from Appsecure this bug was actually the result of two separate vulnerabilities, one in Tinder itself and another in the Facebook Account Kit Tinder uses to log people in and out. The Facebook vulnerability exposed a user's access token, which hackers could then use to access a Tinder account because the Tinder API wasn't actually checking the Client ID. So to get in hackers only needed to get that token, and because Facebook's system was flawed it wasn't an impossibility.

Appsecure reported the respective flaws to both Tinder and Facebook as part of their bug bounty programmes, both of whom promptly issued patches fixing them. Both companies gave statements to The Verge addressing the issue, though Tinder wouldn't apparently wouldn't comment on the specifics of the report.

A spokesperson for Facebook said, "We quickly addressed this issue, and we’re grateful to the researcher who brought it to our attention.” Tinder's spokesperson clarified that security was of the utmost importance, saying, "Security is a top priority at Tinder. However, we do not discuss any specific security measures or strategies, so as not to tip off malicious hackers.”

If you are interested in the specifics, Appsecure has published a run down of the steps hackers would have to take it they had wanted to exploit the vulnerabilities for themselves. [Appsecure via The Verge]

More Security Posts: