A major Tinder security vulnerability has been revealed by Appsecure security researchers. The issue left Tinder accounts potentially exposed to infiltrators by only requiring a phone number to log in. This was due to issues with the Facebook API and the Tinder app’s login process, both of which have already been fixed.
Appsecure’s Anand Prakash detailed the security issue on Medium, where it was explained that a Tinder user’s account could have been accessed by someone who had their phone number. The account takeover vulnerability was due to Facebook’s Account Kit, which has since been fixed. Account Kit is used by Tinder to allow for mobile phone number logins.
The researchers explain that when a Tinder user logs into the app using their mobile number, that process is passed on to Facebook’s Account Kit, which authenticates the login. Through the then-available exploit, it was possible for a hacker to get an access token from Facebook with the user’s phone number.
From there, Tinder’s login system failed to check whether the access token was associated with the targeted user’s ID, ultimately leaving the account vulnerable. Both companies worked quickly to fix the issue, according to Appsecure.
The team went on to demonstrate the vulnerability on a video (above), though obviously it is no longer valid. According to the team, Tinder rewarded them $1,250 for the vulnerability discovery and Facebook awarded them $5,000.