Vulnerabilities can Let Hackers Hijack Tinder Accounts with Just a Phone Number

Security researcher Anand Prakash uncovered vulnerabilities in Tinder and the way it uses Facebook’s Account Kit. According to the researcher, the vulnerability can potentially let hackers take over Tinder accounts and access their private messages using only the victim’s phone number. Prakash accordingly disclosed the security flaws, which have been promptly fixed by both Tinder and Facebook.

[From TrendLabs Intelligence Blog: Can online apps like Tinder, Grindr, and OKCupid be abused for cyberespionage?]

What is Facebook’s Account Kit?

Facebook’s Account Kit lets third-party developers streamline their applications by enabling users to register and log in using only an email address or phone number. When users key in this information, they will be sent an authentication code to type in to access their accounts. Tinder is just one of the many that use Account Kit to manage user logins.

Account Kit isn’t limited to iOS and Android. It is also supported on web and mobile web applications, with or without JavaScript enabled. Account Kit is supported on Internet Explorer 10 and later versions, Edge, Chrome, Firefox, Safari, and Opera. It currently works with over 230 country codes and more than 40 languages.

[READ: How the Confucius cyberespionage group is using romance in their cyberespionage operations]

How were the Account Kit vulnerabilities exploited?

However, Prakash noted that the flaw in Account Kit could let hackers compromise the access tokens from the user’s cookies — pieces of data that remember the user’s browsing activity and history. “There was a vulnerability in Account Kit through which an attacker could have gained access to any user’s Account Kit account just by using their phone number. Once in, the attacker could have gotten ahold of the user’s Account Kit access token present in their cookies (aks),” wrote Prakash.

A hacker can then easily chain this flaw with another vulnerability, this time in the way Tinder implements Account Kit. All the hacker needs is a phone number from which he can log into its Account Kit. Prakash explained, “The Tinder API was not checking the client ID on the token provided by Account Kit. This enabled the attacker to use any other app’s access token provided by Account Kit to take over the real Tinder accounts of other users.”

[Expert Insights: How DevOps can be a model for effective cybersecurity]

What can we learn from this?

Organizations that create and deploy either their own homegrown or third-party applications walk the fine line between enriching user experience and securing the personal or corporate data stored in them. While a convoluted authentication system could discourage customers (or users), skimping on security can potentially lead businesses to lose more — especially after the EU General Data Protection Regulation is implemented.

Integrating nascent technologies like passwordless logins in mobile and web applications, for instance, help simplify authentication process for both developers and users. But it can also add security risks if not implemented properly. As more organizations adapt to an agile environment where applications and services need to be rolled out in a scalable manner, so must they adopt best practices to ensure their integrity and security. Tinder and Account Kit’s case exemplify the significance of security by design: Safeguarding all the layers in an application’s lifecycle — from its planning, development, and deployment to monitoring — and even the infrastructure they run on.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.