Tinder has HTTPS problems
From a freshman emailing every Claudia on campus to a big security loophole – Tinder has generated plenty of headlines over the past 24 hours. And as much as I’d like to talk about the Claudia guy, write about how amusing that is, and attach that ‘You Sir, are a Genius’ meme here, I cannot (you can understand why).
So, instead let’s talk about how Tinder can potentially expose your photos as well as your actions.
Researchers at Tel Aviv-based firm Checkmarx have discovered some serious flaws on Tinder – and we’re not talking chipped teeth and lazy eyes. No, thanks to its lack of HTTPS encryption in some places and predictable HTTPS responses at others, Tinder may inadvertently be leaking information. Before this discovery, many had raised concerns regarding this, but for the first time, someone has laid it out in the open. Heck, they even uploaded videos on YouTube. If you’re a Tinder user (like me), this should concern you. Let me try to clarify the doubts and questions you must (and should) have on your mind.
What’s at stake?
For starters, those fancy profile pictures you’ve uploaded to your Android/iOS application can be seen by attackers. That’s because profile pictures are downloaded via unencrypted HTTP connections. So, it’s actually quite easy for a third party to see any pictures you’re viewing. And on top of that, a third party can also see what action you take when presented with those pictures. These “actions” include your left-swipes, right-swipes, and matches.
Here’s how your data can be snooped
Unfortunately, Tinder is not as secure as we – Tinder users – wish it to be. That is down to two things: 1) Lack of HTTPS encryption and 2) Predictable response where HTTPS encryption is used.
Basically this is a very teachable lesson in how not to employ SSL. Does Tinder have SSL. Yes. Technically. Is Tinder using encryption correctly? No. Absolutely not. In one place it hasn’t deployed encryption on a critical access point. In the other, it’s actively undermining its encryption by making its responses entirely predictable.
Let’s understand both of these scenarios.
No HTTPS, Seriously Tinder?
Let me put this in simple words. Basically, there are two protocols via which information can be transferred – HTTP and HTTPS. The ‘S’ standing for secure makes all the difference. When a connection is made via HTTPS, the data in-transit gets encrypted. In this case, that data would be your photos. That’s how it should be. Unfortunately, the Tinder app doesn’t allow users to send requests for photos to its image server via HTTPS. They’re made on port 80 (HTTP). That’s why if a user stays online long enough, his/her photos could be identified. Additionally, that’s what lets someone see what profiles and pictures you’re viewing or have viewed recently.
Predictable HTTPS Response
The second vulnerability comes as a result of Tinder accidentally undermining its own encryption. When you see someone’s profile pictures, what do you do? You swipe, right? (That comma makes a world of difference.) You might swipe left, right or swipe up. Communication of these swipes – from a user’s phone to the API server – are secured via HTTPS. However, there’s a catch, a massive one.
The responses of the API server might be encrypted, but they’re predictable. If you swipe right, it responds with 278 bytes. Similarly, a 374-byte response is sent for a right swipe, and a 581-byte response is sent in the case of a match. In layman’s terms, this is a lot like knocking a box to see if it’s hollow.
Thus, a hacker can see your actions just by just intercepting your traffic, without having to decrypt it. If I were a hacker, I’d have a big fat grin on my face. The fix to this is easy, Tinder just needs to pad the responses so they’re all one uniform size. Make them all 600-byte, something standard. Encryption doesn’t do a whole lot when you can guess what’s being sent simply by the size of the response.
Is privacy just a fallacy in today’s world?