Security Flaw in Tinder Gave Account Access Using Only A Phone Number

By Tinder Inc. (https://www.gotinder.com/press) [Public domain], via Wikimedia Commons

The security researchers at Appsecure discover a way to access the Tinder account of anyone using their phone number. The said exploit took advantage of a flaw in the software in both the login process of the dating app as well as the Facebook API that it is based on. The said issues have been fixed since. However, it represents a pretty major lapse in security.

on Medium, Appsecure’s Anand Prakash, wrote: “Both the vulnerabilities were fixed by Tinder and Facebook quickly.” Tinder and Facebook rewarded the company $1250 and $5000, respectively, for the said report. This is not the first report regarding security flaws of Tinder, either, like when the company failed to encrypt the photos of users and exposed the exact locations of users for months back in 2014.

When users log in to Tinder, they have the option of using their phone number, which is then passed along to the Account Kit of Facebook for authentication to Tinder. The people at Appsecure discovered that they could get a valid access token using an API request to the Account Kit of Facebook using a phone number. Also, the login system of Tinder was not checking these access tokens to make sure that they matched the associated client ID of the user, which means that any valid access token could allow someone to log in to a  Tinder account of any user.