Friday, 20 July, 2018

Tinder login flaw granted account access to anyone with your phone number

Anand Prakash has made a career out of exposing security bugs
Credit
Supplied Anand Prakash has made a career out of exposing security bugs Credit Supplied
Theresa Hayes | 22 February, 2018, 16:17

A new kind of attack recently made the headlines, which presumably let attackers access Tinder accounts with just a phone number. Supplying a phone number as a "new_phone_number" parameter in an API call over HTTP skipped the verification code check, and the kit returned a valid "aks" authorization token. According to Appsecure, the attack can take place by taking advantage of these two vulnerabilities.

When you login to Tinder, you have the option of using your phone number, which is then passed along to Facebook's Account Kit for authentication to Tinder. In his latest bug discovery, Anand Prakash reported that the Tinder API wasn't checking the Client ID on the token provided by Account Kit during the login process - a flaw that could have been exploited by attackers to use any other app's access token to take over Tinder accounts.

The attacker basically has full control over the victim's account now - he can read private chats, full personal information, swipe other user profiles left or right, etc.
Both the companies paid the ethical hacker for his responsible bug disclosure. Appsecure has since receive bounties worth $5,000 and $1,250 from Facebook and Tinder respectively. He uploaded a short YouTube video showing the hack in action.

As Tinder uses Facebook profile pics for its users to lure in a mate or several, the "dating" app is somewhat tied to the social network. Responding to The Verge's request for comment, Facebook said: "We quickly addressed this issue, and we're grateful to the researcher who brought it to our attention". Tinder's spokesperson clarified that security was of the utmost importance, saying, "Security is a top priority at Tinder".

Luckily, no accounts seem to have been broken into before the vulnerability was patched.