The flaws stem from Tinder’s failure to encrypt profile images. This window allows hackers to view profiles and the images other users view when connected to open Wi-Fi networks. The study, which was done by the security firm Checkmarx, also proves that hackers can also see when chats began. Fortunately, the hackers are not able to see the content within the private chat rooms.
“It’s very simple to execute because the problem is, Tinder actually neglected to encrypt some of the data,” Amit Ashbel, the director of product marketing at Checkmarx, said. “You just have to listen to the network and you’ll have the images available to you.”
Tinder did not reveal the tools they use to secure the app, but a spokesperson claims that they take the privacy of their users very seriously.
“Like every other technology company, we are constantly improving our defenses in the battle against malicious hackers. For example, our desktop and mobile web platforms already encrypted profile images, and we are working towards encrypting images on our app experience as well,” the spokesperson said. “However, we do not go into any further detail on the specific security tools we use, or enhancements we may implement to avoid tipping off would be hackers.“
Checkmarx posted a video on YouTube to show how hackers are able to access what victims view in their personalized Tinder apps. The security firm went on to say that victims have no way of knowing if hackers are monitoring them. However, users will be happy to know that there is a way to avoid the monitoring of lurkers.
“If you don’t want people to know what’s going on in your Tinder account, preferably use a secure Wi-Fi network,” Ashbel said. “The second one is what I recommend to all my friends, is anything you don’t want visible to all people, don’t do on a network-connected device.”
Tinder’s spokesperson also said that the online version of the service is HTTP-encrypted and noted that the company has plans to spread expand those protections to every platform. However, Checkmarx does not believe that HTTP is secure enough to protect the millions of users that use the program every day.
Checkmarx believes this behavior is inappropriate for an app that includes personal information, like the age, location, employer and sexual preferences of its users. They adamantly encourage the use of encrypted connections throughout the dating app. The firm also recommends padding several other commands in the app. The company can do this by adding noise to make every command the same size and unreadable throughout the app’s stream of data. If the company does not instill wide-encryption soon, Checkmarx believes that the hackers will continue to snoop, publicize the data of victims around the world and derail the future of a promising company.