Tinder app can let people see who you match with and swipe left or right on

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

“Major” vulnerabilities in the Tinder app can let people see exactly who you match with and swipe left or right on.

If the security flaws are exploited, an attacker could gather enough sensitive information to blackmail you, cyber security researchers say.

What’s more, they could also alter the appearance of profile pictures you see, and even switch them for “malicious content”.

The vulnerabilities were uncovered by cyber security firm Checkmarx, which describes them as “disturbing”.

It discovered that the Tinder app lacks basic HTTPS encryption for profile pictures, allowing anyone using the same Wi-Fi network as you to see the same profiles you come across on the app.

Checkmarx also found that different actions within the app produce specific patterns of bytes that are recognisable even in encrypted form.

A left swipe is represented as 278 bytes, a right swipe is 374 bytes and a match shows up as 581 bytes, the researchers say.

“We can simulate exactly what the user sees on his or her screen. You know everything: what they’re doing, what their sexual preferences are, a lot of information,” Erez Yalon, Checkmarx’s manager of application security research, told Wired.

“It’s the combination of two simple vulnerabilities that create a major privacy issue.”

The researchers built an app, called Tinder Drift, which demonstrates just how much information an attacker could get their hands on, if they’re using the same Wi-Fi network as you.

“The vulnerabilities, found in both the app’s Android and iOS versions, allow an attacker using the same network as the user to monitor the user’s every move on the app,” the researchers wrote.

“It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising or other type of malicious content (as demonstrated in the research).

“While no credential theft and no immediate financial impact are involved in this process, an attacker targeting a vulnerable user can blackmail the victim, threatening to expose highly private information from the user’s Tinder profile and actions in the app.”

Checkmarx says it notified Tinder about its findings in November, but the company is yet to fix the issues.

“We take the security and privacy of our users seriously,” a Tinder spokesperson told The Independent. ”We employ a network of tools and systems to protect the integrity of our platform.

“That said, it’s important to note that Tinder is a free global platform, and the images that we serve are profile images, which are available to anyone swiping on the app.

“Like every other technology company, we are constantly improving our defenses in the battle against malicious hackers. For example, our desktop and mobile web platforms already encrypt profile images, and we are working towards encrypting images on our app experience as well. However, we do not go into any further detail on the specific security tools we use or enhancements we may implement to avoid tipping off would be hackers.”