Researchers find #Tinder is a #steaming #hot … security #mess

Months after a journalist found that online dating app Tinder gathered staggering amounts of information about users, security researchers have discovered that at least some of that information could be easily stolen due to inadequate security used by the app.

The claim comes today from the Checkmarx Ltd. security team, which discovered what is described as “disturbing vulnerabilities in a highly popular dating application used by people across the globe.” The problems lies at the heart of how Tinder deals with information on the app, failing to use HTTPS-encryption on photos, meaning that potentially any photo on the app could be stolen and even additional photos injected into the app.

“The vulnerabilities, found in both the app’s Android and iOS versions, allow an attacker using the same network as the user to monitor the user’s every move on the app,” the researchers explained. “It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising or other type of malicious content.”

The research goes on to note that though no credential theft or immediate financial impact is involved in the initial process, the data stolen could result in an attacker blackmailing a vulnerable user.

The lack of properly secure photo transmission raises questions as to how much a user is willing to ignore security vulnerabilities on a given app. “Knowing an ill-disposed attacker can view and document your every move on Tinder, who you like, or who you decide to chat with is definitely disturbing,” the researchers add. “But, is it enough to have you abandon the app altogether? Most apps nowadays seem to be vulnerable so what’s the alternative? Is it at the smallest compromise of our privacy or do we shrug it off until sensitive data is stolen?”

Checkmarx believes that Tinder should encrypt all their photos as soon as possible and also add extra code to commands in the app to ensure that they’re indecipherable to anyone who gains access to it.