Skip to content
by
  • Products
  • Free Tools
  • Search
  • Free Sophos Home
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
  • Sophos Cloud Optix
  • Sophos Central
  • Sophos Mobile
  • Intercept X for Server
  • Secure Wi-Fi
  • Phish Threat
  • SafeGuard Encryption
  • Secure Email
  • SG UTM
  • Secure Web Gateway
For Home Users

Sophos Home protects every Mac and PC in your home

Learn More
Free Security Tools
Free Trials
Product Demos
Have you listened to our podcast? Listen now

How one guy could have taken over any Tinder account (but didn’t)

22 Feb 2018 0 Privacy, Vulnerability

Post navigation

Previous: Tesla cryptojacked by currency miners
Next: Hacker claims spyware maker Retina-X has been breached, again
by Paul Ducklin

An Indian researcher has put Tinder’s online security in the spotlight again.

Last month, we explained how missing encryption in Tinder’s mobile app made it less secure than using the service via your browser – in your browser, Tinder encrypted everything, including the photos you saw; on your mobile, the images sent for your perusal could not only be sniffed out but covertly modified in transit.

This time, the potential outcome was worse – complete account takeover, with a crook logged in as you – but thanks to responsible disclosure, the hole was plugged before it was publicised. (The attack described here therefore no longer works, which is why we are comfortable talking about it.)

In fact, researcher Anand Prakash was able to penetrate Tinder accounts thanks to a second, related bug in Facebook’s Account Kit service.

Account Kit is a free service for app and website developers who want to tie accounts to phone numbers, and to use those phone numbers for login verification via one-time codes send in text messages.

Prakash was paid $5000 by Facebook and $1250 by Tinder for his troubles.

Note. As far as we can see in Prakash’s article and accompanying video, he didn’t crack anyone’s account and then ask for a bug bounty payout, as seemed to have happened in a recent and controversial hacking case at Uber. That’s not how responsible disclosure and ethical bug hunting works. Prakash showed how he could take control of an account that was already his own, in a way that would work against accounts that were not his. In this way, he was able to prove his point without putting anyone else’s privacy at risk, and without risking disruption to Facebook or Tinder services.

Unfortunately, Prakash’s own posting on the topic is rather abrupt – for all we know, he abbreviated his explanation on purpose – but it seems to boil down to two bugs that could be combined:

  • Facebook Account Kit would cough up an AKS (Account Kit security) cookie for phone number X even if the login code he supplied was sent to phone number Y.

As far as we can tell from Prakash’s video (there’s no audio explanation to go with it, so it leaves a lot unsaid, both literally and figuratively), he needed an existing Account Kit account, and access to its associated phone number to receive a valid login code via SMS, in order to pull off the attack.

If so, then at least in theory, the attack could be traced to a specific mobile device – the one with number Y – but a burner phone with a pre-paid SIM card would admittedly make that a thankless task.

  • Tinder’s login would accept any valid AKS security cookie for phone number X, whether that cookie was acquired via the Tinder app or not.

We hope we’ve got this correct, but as far as we can make out…

…with a working phone hooked up to an existing Account Kit account, Prakash could get a login token for another Account Kit phone number (bad!), and with that “floating” login token, could directly access the Tinder account associated with that phone number simply by pasting the cookie into any requests generated by the Tinder app (bad!).

In other words, if you knew someone’s phone number, you could definitely have raided their Tinder account, and perhaps other accounts connected to that phone number via Facebook’s Account Kit service.

24/7 threat hunting, detection, and response delivered by an expert team as a fully-managed service.
Learn More

What to do?

If you’re a Tinder user, or an Account Kit user via other online services, you don’t need to do anything.

The bugs described here were down to how login requests were handled “in the cloud”, so the fixes were implemented “in the cloud” and therefore came into play automatically.

If you’re a web programmer, take another look at how you set and verify security information such as login cookies and other security tokens.

Make sure that you don’t end up with the irony of a set of super-secure locks and keys…

…where any key inadvertently opens any lock.


  • Follow @NakedSecurity on Twitter for the latest computer security news.

  • Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Free tools

Sophos Firewall Home Edition

Boost your home network security.

Sophos Scan & Clean

Free second-opinion scanner for PCs.

Sophos Cloud Optix

Monitor 25 cloud assets for free.

Post navigation

Previous: Tesla cryptojacked by currency miners
Next: Hacker claims spyware maker Retina-X has been breached, again

What do you think? Cancel reply

Recommended reads

Dec23
by Paul Ducklin
109

LastPass finally admits: Those crooks who got in? They did steal your password vaults, after all…

Dec29
by Paul Ducklin
9

US passes the Quantum Computing Cybersecurity Preparedness Act – and why not?

Dec14
by Paul Ducklin
2

Apple patches everything, finally reveals mystery of iOS 16.1.2

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal
  • Intercept X
  • Intercept X for Server
  • Intercept X for Mobile
  • XG Firewall
  • Sophos Email
  • Sophos Wireless
  • Managed Threat Response
  • Cloud Optix
  • Phish Threat
© 1997 - 2023 Sophos Ltd. All rights reserved. Powered by WordPress VIP