SECURITY RESEARCHERS FIND EASY EXPLOITS TO GET USER DATA IN MOST DATING APPS
This is another story that goes into the “oh, no!” category. Well, depending on what you do via the use of dating apps. Please note, dating may be the wrong verb. Popular “dating” apps such as Tinder, Ok Cupid and Bumble have all been identified as having several exploits, making users’ data vulnerable to hackers. Researchers at the Kaspersky Lab (yes, that Moscow-based Kaspersky lab tooled in the NSA hack) used a range of techniques, from simple to fairly esoteric, all of which allowed them to access user data on these apps. In sum, these apps are hackable.
DATERS IDENTITY, MESSAGING, PROFILE SURFING AND LOCATION ALL VULNERABLE
What kind of data? Well, the kind of data that many if not most people would like to keep private from their use of dating apps. In this case the researchers were able to access users’ names, location, login information, in-app message history, and also see a history of the profiles viewed. That’s the kind of information that arms blackmailers and enables stalkers. In other words, this could be dangerous stuff.
RESEARCHERS ACCESSED 9 DATING APPS ON BOTH IOS AND ANDROID
The researchers were Roman Unuchek, Mikhail Kuzin, and Sergey Zelensky. They conducted research on both the iOS and Android versions of nine mobile dating apps. To get access to the sensitive data, they found that hackers actually don’t need to infiltrate the dating app’s servers. Most apps have rather minimal HTTPS encryption, which makes it easy to access user data. Here’s the full list of apps the researchers studied.
- Tinder for Android and iOS
- OK Cupid for Android and iOS
- WeChat for Android and iOS
- Bumble for Android and iOS
- Paktor for Android and iOS
- Mamba for Android and iOS
- Happn for Android and iOS
- Badoo for Android and iOS
- Zoosk for Android and iOS
NO GAY DATING SITES “EXPLORED”, NO VULNERABILITIES BEHIND THE IRON CURTAIN
Notably absent are queer dating apps such as Grindr or Scruff, which include pretty sensitive information like HIV status and sexual preferences. Given the level of official homophobia (to say the least) in Russia, it’s just as well Kaspersky left them alone.
The first exploit attempt was the simplest: it’s pretty easy to use the seemingly harmless information users reveal about themselves to discover what they’ve hidden. Tinder, Happn, and Bumble were the most vulnerable to this approach. With 60% accuracy, researchers said they could take the employment or education listings in someone’s profile and match it to their other social media profiles. Whatever privacy that is built into dating apps can be easily circumvented if users can be contacted via other, less secure social media sites, and it’s not terribly difficult for some troll to register a dummy account just to message users somewhere else.
Next up, the researchers discovered that several apps were vulnerable to a location-tracking exploit. It’s quite common for dating apps to have some form of distance feature, showing the relative distance you are from the person you’re chatting with—500 meters away, 2 miles away, etc. Except the apps aren’t supposed to reveal a user’s actual location, nor allow another user to narrow down where they might be. The researchers got around this by feeding the apps false coordinates and measuring the changing distances from users, aka triangulation. Tinder, Mamba, Zoosk, Happn, WeChat, and Paktor were all susceptible to this exploit.
The more complex exploits were the most staggering in what they accessed. Tinder, Paktor, and Bumble for Android, as well as the iOS version of Badoo, all upload photos using an unencrypted HTTP. Researchers said this enable them to see what profiles users had viewed and which pictures they’d clicked to view. Similarly, they said the iOS version of Mamba “connects to the server using the HTTP protocol, without any encryption at all.” This allowed the researchers to extract user information, including login data, letting them log in and even send messages.
Lastly, the most damaging exploit is a threat to Android users specifically, though it seems to require physical access to a rooted device. Using free apps like KingoRoot, Android users can achieve superuser rights, allowing them to perform the Android equivalent of jailbreaking. The Kaspersky esearchers exploited this, using “superuser” access to find the Facebook authentication token for Tinder, and thn gained full access to the account. Facebook login is enabled in the app by default. Six apps—Tinder, Bumble, OK Cupid, Badoo, Happn and Paktor—were all vulnerable to similar attacks and, because they store message history in the device itself, superusers could view messages. That’s some pretty scary potential right there.
The researchers said they have sent their findings to the respective apps’ developers. That doesn’t make this any less a concern, though the researchers explain your best bet is to a) never use a dating app via public Wi-Fi, b) definitely install software that scans your phone for malware, and c) never specify your place of employment or similar identifying information inside your dating profile.