US$ 150k 'dead or alive' bounty put on exploits
US$ 150k 'dead or alive' bounty put on exploits

An easy-to-exploit bug has left Tinder accounts and private chats exposed to hackers, revealed a researcher this week.

Indian engineer Anand Prakash, a serial bug hunter, said in a Medium post on Wednesday, 20 February, that a flaw in a Facebook-linked program called Account Kit let attackers access profiles armed with just a phone number. Account Kit has been implemented on Tinder and it has been used by developers to let users log on to a range of apps using mobile details or email addresses without a password.

According to Prakash, until recently, there was a crack in this process that could let hackers compromise "access tokens" from users' cookies. The attacker could then exploit a bug in Tinder to use the token, which stores security details, and log in to the dating account with little fuss.

Prakash, an ethical hacker known for finding bugs in popular websites, said of the Tinder bug, “the attacker basically has full control over the victim's account now. He can read private chats, full personal information and swipe other user profiles left or right”.

Earlier this year, on 23 January, a different set of “disturbing” vulnerabilities were found in Tinder's Android and iOS apps by Checkmarx Security Research Team.

Experts said hackers could use them to take control of profile pictures and swap them for “inappropriate content, rogue advertising or other type of malicious content.” The firm claimed that nefarious attackers could “monitor the user's every move” on the application.

A bug within Tinder is problematic as the app boasts an estimated 50 million users worldwide with roughly 40 percent of them based in North America, and a million dates facilitated a week according to the website, along with 1.6 billion swipes a day.

Paul Edon, director at Tripwire commented on the bug in a press statement saying: “Cyber-criminals do their best to take advantage of any weakness in technology and that includes well known apps. We are seeing it with Tinder and we saw it happen with Pokémon Go. Consumers must understand the more apps that have access to your personal information (like Snapchat, Twitter and Facebook) the more avenues there are for hackers to access your data. It is important to avoid uploading critical information where possible and it is essential to keep your devices, systems and applications up to date as they often include security fixes.”

Dr. Giovanni Vigna, CTO and co-founder of Lastline said: “This is a particularly worrying example of how social media can cause an issue, as the nature of the app means particularly sensitive or embarrassing data could have been exposed and leveraged by bad actors. For hackers, accessing social network credentials is not only an effective way to access personal data, but also to exploit the trust between users and the app to spread malware, and also expand the criminals' foothold if users re-use credentials (e.g. passwords and secret questions) across other accounts. The impact of this type of flaw, although now fixed, would be significantly reduced had 2-factor authentication been used.”