Vulnerabilities in Tinder and in Facebook’s Account Kit tool could have allowed a hacker to take over a user’s Tinder account — gaining access to their private messages — using only the victim’s phone number.
The problem was discovered by Anand Prakash, a security researcher and has been fixed by both Tinder and Facebook.
Rather than requiring users to set up a username and password before they start swiping, Tinder uses Account Kit to allow people to log in using only their phone number. Users simply enter their phone number and receive a verification code via text message.
But Prakash found vulnerabilities in this setup that enabled him to log into someone’s Tinder account — and once he did, he’d be able to read their messages and swipe on their behalf.
“There was a vulnerability on Account Kit … which an attacker could have [used to] gained access to any user’s Account Kit account just by using their phone number. Once in, the attacker could have got hold of the user’s access token of Account kit present in cookies,” Prakash explained in a blog post. From there, the attacker could use the access token to log into someone else’s Tinder account.
“The Tinder API was not checking the client ID on the token provided by Account Kit,” Prakash explained. “This enabled the attacker to use any other app’s access token provided by Account Kit to take over the real Tinder accounts of other users.”
Fortunately, Prakash reported his findings through the companies’ respective bug bounty programs, which reward security researchers with cash in exchange for the vulnerabilities they uncover.
“We quickly addressed this issue, and we’re grateful to the researcher who brought it to our attention,” a Facebook spokesperson told Gizmodo. Prakash says that Facebook awarded him $US5000 ($6404) through its bug bounty program for finding the vulnerability. He also received $US1250 ($1601) from Tinder.
A representative for the dating app did not immediately respond to a request for comment.