Attackers Exploit Tinder Vulnerability Using Phone Number
A Tinder user’s phone number- that’s all that a hacker could need, to take over the account itself, as per recent reports on a newly detected Tinder vulnerability. Anyhow, it’s reported that the issues have been plugged promptly…
Indian security engineer Anand Prakash, the founder of the cyber security firm AppSecure, has detected this vulnerability and has authored a blog on the same. Anand Prakash claims to have successfully executed two attacks exploiting two different vulnerabilities, one in Tinder and another in Facebook’s Account Kit system, which Tinder uses to manage logins.
In the blog post titled ‘How I hacked Tinder accounts using Facebook’s Account Kit and earned $6,250 in bounties‘ (which has been “…published with the permission of Facebook under the responsible disclosure policy”), Anand Prakash writes- “This post is about an account takeover vulnerability I discovered in Tinder’s application. By exploiting this, an attacker could have gained access to the victim’s Tinder account, who must have used their phone number to log in…This could have been exploited through a vulnerability in Facebook’s Account Kit, which Facebook has recently addressed.”
The web and mobile applications of Tinder allow users to log in using their mobile phone numbers. It’s Facebook’s Account Kit that provides this login service. Once a user is on Tinder, the login is done by clicking on Login with Phone Number, which redirects the user to Accountkit.com for login. Account Kit passes the access token to Tinder for login if the authentication is successful. The issue was the Tinder API was not at all checking the client ID on the token that Account Kit provides and thus any hacker could use any other app’s token provided by Account Kit to take over a user’s Tinder account.
In his blog post, Anand Prakash explains how his exploit worked, step by step…He says that “First the attacker would log into victim’s Account Kit account by entering the victim’s phone number in “new_phone_number” in the API request…” and then “…the attacker could copy the victim’s “aks” access token of Account Kit app from cookies.” Then the attacker uses the copied access token “aks” of the victim to replay a request into the Tinder API and thereby get logged into the victim’s Tinder account. Anand Prakash writes- “The attacker would then basically have full control over the victim’s account. They could read private chats, full personal information, and swipe other user’s profiles left or right, among other things.”
The vulnerabilities were fixed as soon as Tinder and Facebook were made aware of the detections. Anand Prakash writes- “Both the vulnerabilities were fixed by Tinder and Facebook quickly. Facebook rewarded me with US $5,000, and Tinder awarded me with $1,250.”