Major Tinder security flaw could enable hackers to spy on your swipes

Hackers have discovered a way to spy on Tinder users, enabling prying eyes to view photos users are perusing, including those all-important left and right swipes.

According to a report from cybersecurity specialists Checkmarx, the problem arises because Tinder doesn’t use HTTPS encryption on profile photos within its iOS and Android apps.

The security flaw, which Checkmarx demonstrated in a proof-of-concept app, enables a third party to intercept images, provided the user is on the same Wi-Fi network.

The malicious individual could even use the exploit to insert their own photos into the unsuspecting user’s stream.

Related: Best Android apps

A second security flaw enables hackers to discern whether Tinder users swiped left or right on a profile, based on the amount of data that swipe produces.

For example, a swipe left is 278 bytes and a swipe right generates 341 bytes, which undermines the encrypted nature of that particular piece of data.

“It’s the combination of two simple vulnerabilities that create a major privacy issue,” Erez Yalon of Checkmarx told Wired.

“We can simulate exactly what the user sees on his or her screen. You know everything: What they’re doing, what their sexual preferences are, a lot of information.”

Tinder is ‘constantly improving defences’

The TinderDrift demonstration created by the security firm showcases how simple it would be for hackers to monitor Tinder usage sessions in real time. You can see it below.

Thankfully, at least text is encrypted within the iOS and Android apps, limiting the data third-parties can spy upon. Photos are also encrypted within the web app, so the problems are limited to the mobile apps.

In a statement, Tinder says: “We take the security and privacy of our users seriously. We employ a network of tools and systems to protect the integrity of our platform. That said, it’s important to note that Tinder is a free global platform, and the images that we serve are profile images, which are available to anyone swiping on the app. Like every other technology company, we are constantly improving our defenses in the battle against malicious hackers. For example, our desktop and mobile web platforms already encrypt profile images, and we are working towards encrypting images on our app experience as well. However, we do not go into any further detail on the specific security tools we use or enhancements we may implement to avoid tipping off would-be hackers.”

Does this revelation shake your faith in Tinder? Drop us a line @TrustedReviews on Twitter.