Vulnerabilities in Tinder and in Facebook ’s Account Kit tool could have let a hacker to take over a exploiter ’s Tinder account — gaining access to their private messages — using only the dupe ’s speech sound number .
The trouble was discovered by Anand Prakash , a surety researcher , and has been gear up by both Tinder and Facebook .
Rather than requiring users to set up up a username and password before they jump swiping , Tinder uses Account Kit to allow citizenry to lumber in using only their phone number . substance abuser simply infix their headphone identification number and have a verification code via text substance .
But Prakash find exposure in this frame-up that enable him to lumber into someone ’s Tinder invoice — and once he did , he ’d be able to read their messages and swipe on their behalf .
“ There was a exposure on Account Kit , … which an assailant could have [ used to ] gained access to any user ’s Account Kit account just by using their phone routine . Once in , the attacker could have engender detention of the user ’s access code token of Account outfit present in cookies , ” Prakash explain in ablog post . From there , the assailant could use the access token to lumber into someone else ’s Tinder account .
“ The Tinder API was not checking the client ID on the souvenir allow for by Account Kit , ” Prakash explain . “ This enabled the assaulter to use any other app ’s admission token provided by Account Kit to take over the real Tinder accounts of other user . ”
Fortunately , Prakash account his findings through the company ’ several bug bounty program , which reinforce security system research worker with Johnny Cash in exchange for the vulnerabilities they uncover .
“ We quickly address this yield , and we ’re grateful to the research worker who brought it to our aid , ” a Facebook spokesperson tell Gizmodo . Prakash says that Facebook awarded him $ 5,000 through its bug premium program for find oneself the vulnerability . He also receive $ 1,250 from Tinder . A representative for the dating app did not immediately respond to a petition for comment .
Update , 6:30 p.m. : “ Security is a top priority at Tinder , ” a interpreter for the company enunciate in a statement . “ Like other major worldwide technology company , we employ a internet of tools and scheme to protect the integrity of our program . As part of our ongoing efforts in this orbit , we apply a Bug Bounty Program and go with skilled surety research worker across the globe to responsibly name likely issue and quickly resolve them . ”
FacebookPrivacyTinder
Daily Newsletter
Get the best technical school , skill , and culture news in your inbox day by day .
intelligence from the futurity , deliver to your present tense .
You May Also Like
