Tinder app still lacks the encryption necessary to keep your photos, swipes, and matches hidden from snoopers
On Tuesday, researchers at Tel Aviv-based security firm 'Checkmarx' ran some basic checks on everyone's favourite dating-cum-casual sex app 'Tinder' only to scare us all on a deep fundamental level by proving that it still lacks basic HTTPS encryption for photos. It's a little technical but the basic gist of the findings means the anyone on the same Wi-Fi network as you can see any photo you're seeing and can even put their own custom chosen images into your photo stream. A perfect opportunity for the creepy IT guy in work to repeatedly show you his dong, in my opinion. Apparently some of the other data in the app is HTTPS-encrypted but still leaks enough information to essentially let the hacker on the same network to watch every swipe left, swipe right, or match on the target's phone nearly as easily as if they were living in your brain like that one Black Mirror episode.
Checkmarx built a neat piece of software they call 'TinderDrift' specifically to prove their findings, which is another level of petty that I can only aspire to, and it translates the data from the app directly to a laptop connected to the same network to build the entire session and all its swipes. Tinderdrift takes the un-encrypted photos and combines them with information they discovered when tooling around with the data Tinder does both to encrypt. The boffins at Checkmarx managed to figure out that a swipe left is 278 bytes, a swipe right is represented as 374 bytes, and a match clocks in at 581. Combined the encrypted data with the un-encrypted means they know exactly which photos you took a liking to and exactly who decided they liked you back. "It's this combination of two simple vulnerabilities that create a major privacy issue" Erez Yalon, Checkmarx's manager of application security research.
Checkmarx told Tinder about their findings as far back as November, but they haven't bothered to do anything about it yet. In a statement to WIRED, a Tinder spokesperson seemed to downplay the issue "Like every other technology company, we are constantly improving our defenses in the battle against malicious hackers. We are working towards encrypting images on our app experience. However, we do not go into any further detail on the specific security tools we use, or enhancements we may implement to avoid tipping off would be hackers.". Oh, cool. Nobody worry then. Tinder clearly have it all sorted...