Security researchers have demonstrated that despite containing personal information, the popular dating app Tinder isn’t nearly where it should be in terms of encryption — and snoops on the same Wi-Fi network could see exactly what you’re seeing as you swipe.
The revelations were provided by Tel Aviv-based security firm Checkmarx, and reported by Wired. The researchers demonstrated that “by being on the same Wi-Fi network as any user of Tinder’s iOS or Android app, the researchers could see any photo the user did, or even inject their own images into his or her photo stream.”
Those photos were found to lack HTTPS encryption, but even the HTTPS-encrypted data on Tinder’s apps could be differentiated, so a hacker could conceivably tell if a Tinder user is swiping left or right on their phone, or if they’ve gotten a match.
Checkmarx demonstrated the vulnerabilities with TinderDrift — proof-of-concept software that it designed. The program exploits the Tinder app’s lack of HTTPS encryption. The security researchers told Wired they contacted Tinder about the issue in November, but the problems still remain.
Tinder told Wired it is “constantly improving” defenses against malicious hackers. A Tinder spokesperson noted that profile photos are already public, and the web-based version features more robust HTTPS encryption. However, it seems certain that most Tinder users primarily use the app as their way of navigating the service.
While there undoubtedly aren’t Tinder hackers around every corner of your neighborhood, it still might pay to take a few extra precautions if you want to keep your swiping private. Using the Tinder app on your home Wi-Fi network seems like the best solution for now. Try to avoid swiping on public Wi-Fi networks, especially in crowded areas.
One would expect Tinder to fix this flaw as soon as possible now that it’s gone public, but as Checkmarx’s Erez Yalon said, “There’s really no excuse for using HTTP these days.”