Tinder security vulnerability allowed hackers to access accounts by entering a user's mobile number

The flaw on the dating platform Tinder and Facebook AccountKit was Tinder API not checking the the Client ID on the token provided by Account Kit.

Tinder account can be taken over by just entering a user's phone number. A security firm AppSecure has revealed the flaw also called as 'account takeover vulnerability' in the dating app.

Image credit: Tinder

Image credit: Tinder

According to a report on The Verge, both the companies have fixed the flaw and there is no evidence of any data being leaked because of the security vulnerability. The security flaw allowed access to an account using Facebook AccountKit, a platform which is used to let people quickly register and login to an app using phone number and email address.

According to a blog post by AppSecure a users clicks 'Login with phone Number' on Tinder.com, she/he is then redirected to Accountkit.com for login. "If the authentication is successful then Facebook Account Kit passes the access token to Tinder for login."

The flaw on the dating platform Tinder and Facebook AccountKit was Tinder API not checking the the Client ID on the token provided by Account Kit. This enabled hackers to use any other app's token provided by Account Kit to take over the Tinder accounts.

The blog also mentioned the 'exploit steps' which can be followed to breach into a Tinder account which has now been patched.

The report also mentioned that the flaw was reported to Facebook and Twitter earlier this year and both the companies had awarded the researcher with $5,000 and $1,250 respectively under their respective bug bounty program.

AppSecure is an Indian security firm founded by Anand Prakash, an ex-Flipkart security engineer.




also see

science