You may want to think twice about giving your phone number to the cute guy at the bar next time because they could hack into your Tinder account just by using your phone number.
Scary right? Mr Prakash, from Bangalore, India implored with Tinder to upgrade their security to prevent people from being hacked. He claims it was easy to log into the app without a password using Facebook's Account kit, which is used by Tinder to manage logins. Once the Account Kit system had been hacked, it revealed the user's access token which is accessible via an API request with the associated phone number. This allows the hacker full access to and control over the persons account including their private chats, personal information and full ability to interact with other users on the person's profile.
The weakness doesn't lie in Facebook's Account kit but rather the way in which Tinder has implemented it by not verifying access tokens against the linked client ID – which means that anyone with the access token can log on.
He claimed that he has reported the vulnerability in software to Facebook and Tinder as users' personal data is currently at risk. He was given a $5 000 reward from Facebook and $1 25O from Tinder for his ethical hacking work. Prakash works as a product security engineer and holds the title of "bug bounty hunter", exposing and researching different security vulnerabilities for global companies. His previous work includes hacking Uber's system to get free rides and hacking into any Facebook account. He is one the best bug bounty hunters on Facebook and gets monetary rewards based on risk, impact and other factors through its White Hat bug-finding programme.
When interviewed on this Tinder brief, Professor Alan Woodward, a cyber-security expert at the University of Surrey said the hack is “likely to be limited compared to some of the mass data breaches we’ve seen previously. The vulnerability was disclosed responsibly and has now been fixed so I suspect the risk that individuals may have been compromised is relatively small. The simplicity of the exploit is troubling. It’s the sort of thing that you would expect to be picked up in testing long before a security researcher finds it,” he said. "One thing it does show is the role ethical hackers play in the security ecosystem is vital. Without them, this sort of simple exploit would inevitably become widely known.”
Tinder has acted quickly, changing their login system to prevent any attacks and luckily there has been no evidence of any attack before the vulnerability was discovered.