Swiping on Tinder? Beware, Someone Might be Watching Your Swipes and Matches
Tinder has HTTPS problems
From a freshman emailing every Claudia on campus to a big security loophole – Tinder has generated plenty of headlines over the past 24 hours. And as much as I’d like to talk about the Claudia guy, write about how amusing that is, and attach that ‘You Sir, are a Genius’ meme here, I cannot (you can understand why).
So, instead let’s talk about how Tinder can potentially expose your photos as well as your actions.
Researchers at Tel Aviv-based firm Checkmarx have discovered some serious flaws on Tinder – and we’re not talking chipped teeth and lazy eyes. No, thanks to its lack of HTTPS encryption in some places and predictable HTTPS responses at others, Tinder may inadvertently be leaking information. Before this discovery, many had raised concerns regarding this, but for the first time, someone has laid it out in the open. Heck, they even uploaded videos on YouTube. If you’re a Tinder user (like me), this should concern you. Let me try to clarify the doubts and questions you must (and should) have on your mind.
What’s at stake?
For starters, those fancy profile pictures you’ve uploaded to your Android/iOS application can be seen by attackers. That’s because profile pictures are downloaded via unencrypted HTTP connections. So, it’s actually quite easy for a third party to see any pictures you’re viewing. And on top of that, a third party can also see what action you take when presented with those pictures. These “actions” include your left-swipes, right-swipes, and matches.
Here’s how your data can be snooped
Unfortunately, Tinder is not as secure as we – Tinder users – wish it to be. That is down to two things: 1) Lack of HTTPS encryption and 2) Predictable response where HTTPS encryption is used.
Basically this is a very teachable lesson in how not to employ SSL. Does Tinder have SSL. Yes. Technically. Is Tinder using encryption correctly? No. Absolutely not. In one place it hasn’t deployed encryption on a critical access point. In the other, it’s actively undermining its encryption by making its responses entirely predictable.
Let’s understand both of these scenarios.
No HTTPS, Seriously Tinder?
Let me put this in simple words. Basically, there are two protocols via which information can be transferred – HTTP and HTTPS. The ‘S’ standing for secure makes all the difference. When a connection is made via HTTPS, the data in-transit gets encrypted. In this case, that data would be your photos. That’s how it should be. Unfortunately, the Tinder app doesn’t allow users to send requests for photos to its image server via HTTPS. They’re made on port 80 (HTTP). That’s why if a user stays online long enough, his/her photos could be identified. Additionally, that’s what lets someone see what profiles and pictures you’re viewing or have viewed recently.
Predictable HTTPS Response
The second vulnerability comes as a result of Tinder accidentally undermining its own encryption. When you see someone’s profile pictures, what do you do? You swipe, right? (That comma makes a world of difference.) You might swipe left, right or swipe up. Communication of these swipes – from a user’s phone to the API server – are secured via HTTPS. However, there’s a catch, a massive one.
The responses of the API server might be encrypted, but they’re predictable. If you swipe right, it responds with 278 bytes. Similarly, a 374-byte response is sent for a right swipe, and a 581-byte response is sent in the case of a match. In layman’s terms, this is a lot like knocking a box to see if it’s hollow.
Thus, a hacker can see your actions just by just intercepting your traffic, without having to decrypt it. If I were a hacker, I’d have a big fat grin on my face. The fix to this is easy, Tinder just needs to pad the responses so they’re all one uniform size. Make them all 600-byte, something standard. Encryption doesn’t do a whole lot when you can guess what’s being sent simply by the size of the response.
Concluding Thought
Is privacy just a fallacy in today’s world?
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown