Researchers from the Moscow-based Kaspersky Lab have discovered that using simple exploits, they could uncover sensitive data, like location and message history, for users of 9 dating apps for iOS and Android, including Tinder, Bumble and OK Cupid.
Researchers found that the dating apps in question had minimal security in a number of aspects, meaning that only basic hacking was needed to access data that could leave users vulnerable to such threats as blackmail and stalking. The nine apps studied included Tinder, Bumble, OK Cupid, Badoo, Mamba, Zoosk, Happn, WeChat and Paktor. Both the iOS and Android versions of each of the apps were examined; some exploits only worked for one of the operating systems.
Before the researchers began actually breaking into the systems, they first discovered a privacy problem with some of the apps. Users often put their employment or education history in their bios, which the researchers could link to their other social media profiles with around 60 percent accuracy. Any privacy or block feature is therefore negated if people can contact them on other sites with relative ease. Tinder, Happn and Bumble were the most vulnerable to this matching up.
The first exploit put in place by the researchers was the ability to successfully track the location of users met on the apps. Most apps match people based on how close they are, as clearly it would not be helpful for someone to swipe right on another user who is hundreds of miles away. The distance from the user is often noted underneath the profile, displaying whether they are just around the corner, or a short bus journey away. Using this data, the researchers fed a string of false co-ordinates into their profile and watched the changing distances of their matches – they could then triangulate a potential location of where they were.
Tinder, Paktor, and Bumble for Android, and Badoo for iOS all upload photos to their servers using an unencrypted HTTP protocol. The researchers could then use this vulnerability extract information about what profiles they had viewed and which pictures they had clicked on. The iOS version of Mamba did not have any encryption at all in regards to pictures — this allowed them to take the actual login data and log in as the targeted users.
The final reported exploit was the most severe, and related to the Android versions specifically. Free apps could be used to gain so-called “superuser rights,” allowing them to gain access to the Facebook authentication token used by Tinder. This serious breach permitted full access to the Facebook accounts of anyone targeted. Bumble, OK Cupid, Badoo, Happn and Paktor, were also vulnerable to the same kind of attack, meaning private messages could be easily read.
The findings have been sent off to the developers of the 9 apps. The researchers gave Gizmodo a few tips to ensure greater security when using dating apps:
- Don’t access an app using public Wi-Fi networks
- Install malware-detecting software on my phone
- Never write down your place of work or other identifying information on your dating profile.