Tinder isn’t known for being the most secure app. Most users are just looking for a match when they swipe away. A new report finds that Tinder isn’t using encryption to keep photos safe from people using the same Wi-Fi network as strangers.
This may not be a problem at home, but when accessing public Wi-Fi networks, hackers can see people’s Tinder photos.
Israeli firm Checkmarx found that user’s information on Tinder’s iOS and Androids app were not being protected using basic HTTPS encryption. The lack of encryption would make it easy for anyone to view people’s Tinder photos or add photos to user’s profiles.
Hackers can decode encryption signatures using an HTTP connection and a predictable HTTPS response size. This allows them to view user’s swiping activity. For secure data, Tinder uses HTTPS communications protocol. For profile images, Tinder uses HTTP, a less secure older protocol.
Using HTTP connections on the same network as the user can explore their profile and view their activity on the app. Hackers can view all the images sent to and from the device. They’re also able to alter the images and add images if they’d like to.
Even when the more secure HTTPS protocol is used to secure information, a hacker can see what actions users take on other profiles. Encrypted information on Tinder can still be told apart based on differences on the length of the keys of a like, dislike, and super like. This allows hackers to observe the actions that users are taking on Tinder.
Being on able to spy on people’s Tinder preferences can be dangerous. Knowing this information, hackers can blackmail users using their sexual preferences and other private information on the app. Besides the breach of information, hackers can change photos to ads or inappropriate images.
Tinder responded to the flaw by saying that only the profile images are unencrypted before adding that it’s working on security fixes.
“Like every other technology company, we are constantly improving our defenses in the battle against malicious hackers,” said Tinder in a statement. “For example, our desktop and mobile web platforms already encrypt profile images, and we are working towards encrypting images on our app experience as well.”
Checkmarx said it told Tinder of the security flaw months ago, but the app hasn’t taken any action to correct the error, so the firm took it upon themselves to make the flaw public.