Woah! Tinder flaw allowed access to accounts through phone number
According to the findings of security agency Appsecure, a Tinder login flaw allowed anyone to access an account just by using the registered phone number. Tinder has since changed its login system to fix the issue, but the security lapse in itself was pretty big in nature. Here is more on the fragile login system of the popular dating app.
Facebook API that managed Tinder logins was flawed as well
The vulnerability exploited a software flaw both in Tinder's login process and the Facebook API used to manage its logins. When a user logs in to Tinder, they have the option of using their phone number as username which is sent to Facebook's Account Kit system for authentication. The Facebook vulnerability authenticated users' access tokens associated with the number through a simple API request.
Tinder's login system wasn't cross checking the Facebook vulnerability
In addition, Tinder's implementation of the Facebook API had its own vulnerability. Tinder's login system wasn't verifying these access tokens with the corresponding client ID of the associated user, meaning a valid access token could get anyone inside an account. This let researchers take over a Tinder account, complete with full access to profile and chats.
Both Tinder and Facebook took note of the problem
Appsecure received rewards of $5,000 and $1,250 from Facebook and Tinder's respective bug bounty programs for reporting the vulnerability. "We quickly addressed this issue and we're grateful to the researcher who brought it to our attention," Facebook said.
Won't disclose security patch in detail: Tinder
Whereas Tinder said, "Security is a top priority at Tinder. We are constantly improving our protocols to not only meet, but exceed industry best practices. However, we do not discuss any specific security measures or strategies, so as not to tip off malicious hackers."
