Snoopers could be able to see images downloaded by Tinder users and whether users swiped left and right on them, according to a security company.
Uncovered by researchers at application security testing company Checkmarx, the vulnerabilities are based on an the use of an HTTP connection and a predictable HTTPS response size which allows attackers to decode encryption signatures and see what action the user took on the profile of another user.
"The encryption is done in a method which actually allows the attacker to understand the encryption itself, or derive from the type and length of the encryption what data is actually being used," Amit Ashbel, cybersecurity evangelist at Checkmarx, told ZDNet.
In most aspects of the application, Tinder uses the HTTPS communications protocol for secure transfer of data. However, when it comes to users' profile images, Tinder still uses HTTP, the older, less secure communications protocol, something which "in 2018, isn't justified any more" Erez Yalon, manager of application security research at Checkmarx, told ZDNet.
The use of HTTP connections when Tinder makes requests to download images allows an attacker on the same network as the user -- such as a public wi-fi hotspot -- to explore the users' profile and view if they're opening and sending messages. The attacker could even alter images by intercepting traffic.
"What it allows them to do is see all the images that are sent to and from the device in an open network. Also it allows them to change them. If they want to do it maliciously, they can change the images, they could put adverts in," said Yalon.
A second vulnerability stems from the way Tinder has deployed encryption, even when HTTPs is used. Not only is it possible for an attacker to analyse traffic coming from the API server and see the images the Tinder user is seeing, but also view what action they take on profiles -- whether they like, didn't like, or super liked on the profiles.
The Tinder API sends encrypted packets from the server, based on the response of the user. But these encrypted responses are predictable, because the payload size remains the same for each action -- the length of the key will always be one length for a like, one length for a dislike, and one length for a super like, allowing an observing attacker to decipher what action the user took on the profiles they viewed.
"If the length is a specific size, I know it was a swipe left, if it was another length, I know it was swipe right. And since I know the picture, I can derive exactly which picture the victim liked, didn't like, matched, or super matched. We managed, one by one to connect, with each signature, their exact response," said Yalon.
The combination of HTTP connections and the predictable HTTPs allows an attacker to spy on Tinder users on the same network as them without anyone knowing their privacy is being compromised. No special technique is needed, the attacker just needs to be able to have a packet sniffer to see the data.
"The attack is completely invisible because we're not doing anything active," said Yalon. "If you're on an open network you can do this, you can just sniff the packet and know exactly what's going on, while the user has no way to prevent it or even know it has happened."
The researchers haven't found evidence of this exploit being used, but Yalon told ZDNet, since there's no way to trace the covert attack, "we cannot be sure it is not happening".
Checkmarx informed Tinder of the vulnerability a few months ago, but the security firm has decided to go public with the research in an effort make users aware of the risks as a fix has yet to be issued.
"We take the security and privacy of our users seriously. We employ a network of tools and systems to protect the integrity of our platform," a Tinder spokesperson told ZDNet.
"Like every other technology company, we are constantly improving our defences in the battle against malicious hackers. For example, our desktop and mobile web platforms already encrypt profile images, and we are working towards encrypting images on our app experience as well," the spokesperson continued.
"However, we do not go into any further detail on the specific security tools we use or enhancements we may implement to avoid tipping off would be hackers," the spokesperson added.
According to Checkmarx, Tinder should move all images to HTTPS so they can't be viewed on an insecure HTTP connection. Tinder has also been advised to ensure that all the packets for the responses don't have the same length.
"It should be relatively easy, I hope they pick up what we told them and build a fix," said Yalon, who also warned that just applying encryption and HTTPS isn't enough to ensure security because "you need to think about the entire process of how not to disclose".