Tinder's Lack of Encryption Lets Strangers Spy on Your Swipes (wired.com) 49
Tinder's mobile apps still lack the standard encryption necessary to keep your photos, swipes, and matches hidden from snoops, a security firm reports. From Wired: On Tuesday, researchers at Tel Aviv-based app security firm Checkmarx demonstrated that Tinder still lacks basic HTTPS encryption for photos. Just by being on the same Wi-Fi network as any user of Tinder's iOS or Android app, the researchers could see any photo the user did, or even inject their own images into his or her photo stream. And while other data in Tinder's apps are HTTPS-encrypted, Checkmarx found that they still leaked enough information to tell encrypted commands apart, allowing a hacker on the same network to watch every swipe left, swipe right, or match on the target's phone nearly as easily as if they were looking over the target's shoulder. The researchers suggest that lack of protection could enable anything from simple voyeuristic nosiness to blackmail schemes.
Re: (Score:3)
Being that is a popular app, there will be a lot of people using it.
There is a lot of taboos in our culture around dating and sexuality in general.
Realizing the perfectly normal seeming person has some sort of fetish, can often be used against them by making it public, making people feeling uncomfortable, or being a reason to separate them from a particular job, group. Or causing divorces and other things, from a moment of curiosity or bad judgement.
These types of services really should take privacy serious
Re: (Score:1)
Re: (Score:2)
If you are using an App you may not have such visability even if you are doing a website, other then us tech guys who will dig down into the HTML and see the Pictures are not encrypted?
This argument is like that Microsoft did in the late 1990's to push Active X over Java. While the JavaApplet avoid writing and reading directly to your disk, limiting its functionality. This wasn't the factor in Active X. However the app would pop up an alert stating that this could be dangerous, figuring that the average p
Re:who gives a shit (Score:5, Insightful)
Re: who gives a shit (Score:1)
Re:who gives a shit (Score:5, Funny)
If you are using the Internet you aren't taking privacy seriously.
That's why I never use the internet. I especially don't use it to post comments to a forum where anyone else might see my opinions on things.
Re: (Score:2)
Re: (Score:2)
The issue is these people may not actually be perverts, but just looking for romance.
Re: (Score:2)
There is also the opportunity for blackmail. A few choice photos that were "leaked" can ruin someone's career, or in some countries, have them executed.
I thought other places would have learned a lesson in protecting their users after the Ashley Madison breach, with the fallout that happened over that. However, guess not.
Time to swipe left on that service until they actually put some value into their internal security.
Half of that is obvious (Score:2)
Checkmarx found that they still leaked enough information to tell encrypted commands apart, allowing a hacker on the same network to watch every swipe left, swipe right, or match on the target's phone nearly as easily as if they were looking over the target's shoulder.
When different user actions result in widely different application behavior, it will always be easy to infer the user action. E.g., if matching is the only action that does not result in a new profile being presented, then observation of the smaller data exchange will lead to that inference.
The only way to avoid this is to make the network traffic identical for all cases, which is extremely wasteful of bandwidth and, presumably, battery life.
That said, encryption of all data should be standard now. There is
Re: (Score:2)
Using Tinder at Starbucks, not wise. Not setting up a guest WIFI network at your house, not wise. Leave your front door open and put a sign in the middle of it that says "Please come and steal all my shit", not wise.
I would actually love to see the United States devolve back to 19th Century homestead life just to watch Millennials be completely clueless about how to survive. What are they going to do protect their homestead from bandits and brigands, have an academic discussion them with them about empat
Re: (Score:2)
You really ought to have put a trigger warning on your post to avoid microaggressions. Someone could have been mildly offended at what you wrote, or been inflicted with PTSD!
I know man. Nature and reality are so offensive. Life should come with warning labels too. It might offend someone. Seriously, there has got to be someone to complain to about how unfair reality and nature is. Whoever created this place is so not cool because it wasn't made special to suit all my personal preferences and I am soooo special, Mommy and Daddy told me so. eyeroll
Re: (Score:2)
Why do people miss violence and murder?
better: (Score:5, Funny)
Re: (Score:2)
if its an AI and not some bullshit database pretending to be intelligent then yeah no worries i would swipe right.
Security???? Tinder users???? (Score:3, Funny)
Re: (Score:2)
"High value" targets would have no need for Tinder, and a much easier way to catch them would be to post a desirable profile then get anywhere within a mile of them.
If I were a PO at Tinder, I would not spend one minute on "fixing" this "problem", because it isn't one. The target has no value, and anything discoverable is already in the public domain.
Default? (Score:1)
These seems like some really shoddy and/or lazy development. More than this particular issue it makes you wonder what other shortcuts or sloppy development they have hiding in their app?
Newsflash! (Score:1)
Y'all are missing the big opportunity (Score:2)
Imagine a 'mess with Tinder' app that sits on your phone, and allows you to inject images of your choice into the stream of anyone using the same local connection.
Re: (Score:2)
It'd be kinda funny if all tinder profiles in a coffee shop were suddenly pictures of the barista.
Re: (Score:2)
You've made me think of something MORE evil - hijacking Tinder to sell coffee.
What if every other profile served up on your phone was a menu item???
What risk? (Score:2)
I don't get it.
To be usable the Tinder app requires you to post pictures of yourself, presumably looking as attractive as possible in some way, and a come-on line and a few personal details such as what gender you are and what gender you are looking for. Anybody can view all that.
So after exposing all that what you swipe on is supposed to be a "risk" of some kind? Seems to me that ship already sailed.
Re: (Score:2)
Two Possibilities (Score:2)
Possibility #2: You don't care about privacy. Result: this also doesn't affect you because you don't care anyway.
Conclusion: non-issue.
Security breach!! (Score:2)
This random stranger is able to see me trying to hook up with random strangers! This security vulnerability leaves me open to being seen by a total stranger, but not necessarily one of the ones I want to be seen by, as far as I know, since they are all strangers.