At IncludeSec we specialize in application security assessment for our clients, that means taking applications apart and finding really crazy vulnerabilities before other hackers do. When we have time off from client work we like to analyze popular apps to see what we find. Towards the end of 2013 we found a vulnerability that lets you get exact latitude and longitude co-ordinates for any Tinder user (which has since been fixed)
Tinder is an incredibly popular dating app. It presents the user with photographs of strangers and allows them to “like” or “nope” them. When two people “like” each other, a chat box pops up allowing them to talk. What could be simpler?
Being a dating app, it’s important that Tinder shows you attractive singles in your area. To that end, Tinder tells you how far away potential matches are:
Before we continue, a bit of history: In , a different Privacy vulnerability was reported in Tinder by another security researcher. At the time, Tinder was actually sending latitude and longitude co-ordinates of potential matches to the iOS client. Anyone with rudimentary programming skills could query the Tinder API directly and pull down the co-ordinates of any user. I’m going to talk about a different vulnerability that’s related to how the one described above was fixed. In implementing their fix, Tinder introduced a new vulnerability that’s described below.
The API
By proxying iPhone requests, it’s possible to get a picture of the API the Tinder app uses. Of interest to us today is the user endpoint, which returns details about a user by id. This is called by the client for your potential matches as you swipe through pictures in the app. Here’s a snippet of the response:
Tinder is no longer returning exact GPS co-ordinates for its users, but it is leaking some location information that an attack can exploit. İncele
