Tinder login flaw granted account access to anyone with your phone number

A third-party gaining access to our social media accounts is always a terrifying prospect, but being hacked on the dating app Tinder could wreak some extra special life-ruining havoc. 

So it’s quite perturbing to learn the security researchers at Appsecure recently discovered a way to access any Tinder user’s account just through their phone number.

The researchers exploited a flaw in Account Kit by Facebook, which powers Tinder’s login service, and Tinder’s own API. Thankfully it has now been fixed.

In a post on Medium, Appsecure’s Anand Prakash explained how attackers could have exploited the ability for users to login with their phone number.

He explained: “The user clicks on Login with Phone Number on tinder.com and then they are redirected to Accountkit.com for login. If the authentication is successful then Account Kit passes the access token to Tinder for login.

“Interestingly, the Tinder API was not checking the client ID on the token provided by Account Kit. This enabled the attacker to use any other app’s access token provided by Account Kit to take over the real Tinder accounts of other users.”

You can see how the vulnerability was exploited in the video below:

Prakash said the vulnerability has been fixed and is being published today with Facebook’s permission under the ‘responsible disclosure policy’.

Appsecure said the vulnerabilities were quickly resolved with Facebook paying a $5,000 bounty and Tinder paying a $1,250 reward.

It’s unclear how long the vulnerability was in play and whether any Tinder users were affected by the issue.

Potentially, consequences would have been far less amusing than commandeering a friend’s phone and swiping right on absolutely everyone.

Have you fallen victim to a social media hack? Share your horror stories with us @TrustedReviews on Twitter.

Privacy Settings