large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

Tinder login flaw granted account access to anyone with your phone number

A third-party gaining access to our social media accounts is always a terrifying prospect, but being hacked on the dating app Tinder could wreak some extra special life-ruining havoc. 

So it’s quite perturbing to learn the security researchers at Appsecure recently discovered a way to access any Tinder user’s account just through their phone number.

The researchers exploited a flaw in Account Kit by Facebook, which powers Tinder’s login service, and Tinder’s own API. Thankfully it has now been fixed.

In a post on Medium, Appsecure’s Anand Prakash explained how attackers could have exploited the ability for users to login with their phone number.

He explained: “The user clicks on Login with Phone Number on tinder.com and then they are redirected to Accountkit.com for login. If the authentication is successful then Account Kit passes the access token to Tinder for login.

“Interestingly, the Tinder API was not checking the client ID on the token provided by Account Kit. This enabled the attacker to use any other app’s access token provided by Account Kit to take over the real Tinder accounts of other users.”

You can see how the vulnerability was exploited in the video below:

Prakash said the vulnerability has been fixed and is being published today with Facebook’s permission under the ‘responsible disclosure policy’.

Appsecure said the vulnerabilities were quickly resolved with Facebook paying a $5,000 bounty and Tinder paying a $1,250 reward.

It’s unclear how long the vulnerability was in play and whether any Tinder users were affected by the issue.

Potentially, consequences would have been far less amusing than commandeering a friend’s phone and swiping right on absolutely everyone.

Have you fallen victim to a social media hack? Share your horror stories with us @TrustedReviews on Twitter.

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have 9 million users a month around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.