Bug Made It Possible to Take Over Tinder Accounts with Just a Phone Number

PublishedFebruary 22, 2018

We may earn a commission from links on this page.

Vulnerabilities in Tinder and in Facebook’s Account Kit tool could have allowed a hacker to take over a user’s Tinder account—gaining access to their private messages—using only the victim’s phone number.

Watch

Giving Optimus Prime a Proper Back Story | io9 Interview

view video

Giving Optimus Prime a Proper Backstory | io9 Interview

Rob Savage on Collaborating with Yellowjackets’ Sophie Thatcher

Tuesday 10:04AM

Coastal Animals Are Thriving on Plastic Pollution Out in the Pacific Ocean | Extreme Earth

Monday 5:37PM

The problem was discovered by Anand Prakash, a security researcher, and has been fixed by both Tinder and Facebook.

Rather than requiring users to set up a username and password before they start swiping, Tinder uses Account Kit to allow people to log in using only their phone number. Users simply enter their phone number and receive a verification code via text message.

But Prakash found vulnerabilities in this setup that enabled him to log into someone’s Tinder account—and once he did, he’d be able to read their messages and swipe on their behalf.

“There was a vulnerability on Account Kit, ... which an attacker could have [used to] gained access to any user’s Account Kit account just by using their phone number. Once in, the attacker could have got hold of the user’s access token of Account kit present in cookies,” Prakash explained in a blog post. From there, the attacker could use the access token to log into someone else’s Tinder account.

“The Tinder API was not checking the client ID on the token provided by Account Kit,” Prakash explained. “This enabled the attacker to use any other app’s access token provided by Account Kit to take over the real Tinder accounts of other users.”

Fortunately, Prakash reported his findings through the companies’ respective bug bounty programs, which reward security researchers with cash in exchange for the vulnerabilities they uncover.

“We quickly addressed this issue, and we’re grateful to the researcher who brought it to our attention,” a Facebook spokesperson told Gizmodo. Prakash says that Facebook awarded him $5,000 through its bug bounty program for finding the vulnerability. He also received $1,250 from Tinder. A representative for the dating app did not immediately respond to a request for comment.

Update, 6:30 p.m.: “Security is a top priority at Tinder,” a spokesperson for the company said in a statement. “Like other major global technology companies, we employ a network of tools and systems to protect the integrity of our platform. As part of our ongoing efforts in this arena, we employ a Bug Bounty Program and work with skilled security researchers across the globe to responsibly identify potential issues and quickly resolve them.”