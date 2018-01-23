Tinder's Lack of Encryption Lets Strangers Spy on Your Swipes (wired.com) 15
Tinder's mobile apps still lack the standard encryption necessary to keep your photos, swipes, and matches hidden from snoops, a security firm reports. From Wired: On Tuesday, researchers at Tel Aviv-based app security firm Checkmarx demonstrated that Tinder still lacks basic HTTPS encryption for photos. Just by being on the same Wi-Fi network as any user of Tinder's iOS or Android app, the researchers could see any photo the user did, or even inject their own images into his or her photo stream. And while other data in Tinder's apps are HTTPS-encrypted, Checkmarx found that they still leaked enough information to tell encrypted commands apart, allowing a hacker on the same network to watch every swipe left, swipe right, or match on the target's phone nearly as easily as if they were looking over the target's shoulder. The researchers suggest that lack of protection could enable anything from simple voyeuristic nosiness to blackmail schemes.
Being that is a popular app, there will be a lot of people using it.
There is a lot of taboos in our culture around dating and sexuality in general.
Realizing the perfectly normal seeming person has some sort of fetish, can often be used against them by making it public, making people feeling uncomfortable, or being a reason to separate them from a particular job, group. Or causing divorces and other things, from a moment of curiosity or bad judgement.
These types of services really should take privacy serious
If you are using an App you may not have such visability even if you are doing a website, other then us tech guys who will dig down into the HTML and see the Pictures are not encrypted?
There is also the opportunity for blackmail. A few choice photos that were "leaked" can ruin someone's career, or in some countries, have them executed.
I thought other places would have learned a lesson in protecting their users after the Ashley Madison breach, with the fallout that happened over that. However, guess not.
Time to swipe left on that service until they actually put some value into their internal security.
Checkmarx found that they still leaked enough information to tell encrypted commands apart, allowing a hacker on the same network to watch every swipe left, swipe right, or match on the target's phone nearly as easily as if they were looking over the target's shoulder.
When different user actions result in widely different application behavior, it will always be easy to infer the user action. E.g., if matching is the only action that does not result in a new profile being presented, then observation of the smaller data exchange will lead to that inference.
The only way to avoid this is to make the network traffic identical for all cases, which is extremely wasteful of bandwidth and, presumably, battery life.
That said, encryption of all data should be standard now. There is
