A major vulnerability has been revealed in Tinder app by security researchers at AppSecure. The issue left Tinder accounts potentially exposed to infiltrators by only requiring a phone number to log in. This was due to issues with the Facebook API and the Tinder app’s login process, both of which have already been fixed.
The vulnerability was first reported by ethical hacker Anand Prakash in a Medium blog post. The account takeover vulnerability was due to Facebook’s Account Kit, which has since been fixed. Account Kit is used by Tinder to allow for mobile phone number logins.
The blog states, "When a user clicks on login with a phone number on Tinder, they are redirected to Accountkit.com for login. If the authentication is successful then Account Kit passes the access token to Tinder for login. The vulnerability essentially exposed the access tokens of users, which means that hackers who obtained a valid access token could easily take over a user’s account."
After being alerted to the security vulnerability, Tinder has since patched it which means that users should be safe moving forward.
Prakash, who reported the vulnerabilities to both Tinder and Facebook was awarded $5,000 by Facebook and $1,250 by Tinder.