It was reported last month that online dating app Tinder had a security flaw which allows strangers to see your photos and matches. Now, Appsecure has discovered a new flaw which is potentially more damaging.
The new vulnerability allows infiltrators to get access to your account with the help of your login phone number. But there is no need to worry because the good news is that after being alerted by Appsecure, Tinder has fixed the issue.
According to Appsecure, the hackers could have taken advantage of two vulnerabilities to attack accounts. One is Tinder's own API and the other is in Facebook's Account Kit system which Tinder uses to manage the logins.
In a statement sent to The Verge, a Tinder spokesperson said, "Security is a top priority at Tinder. However, we do not discuss any specific security measures or strategies, so as not to tip off malicious hackers."
Basically, the vulnerability exposed the access tokens of the users. If a hacker is successful in obtaining the valid access token then he/she can easily take over a user account.
"We quickly addressed this issue and we're grateful to the researcher who brought it to our attention," The Verge quoted a Facebook representative as saying.
Anand Prakash from Appsecure explained how the attack works on Tinder, "The user clicks on Login with Phone Number on tinder.com and then they are redirected to Accountkit.com for login. If the authentication is successful then Account Kit passes the access token to Tinder for login."
"Interestingly, the Tinder API was not checking the client ID on the token provided by Account Kit.This enabled the attacker to use any other app's access token provided by Account Kit to take over the real Tinder accounts of other users," he added.
Appsecure has already received awards of $5,000 and $1,250 by Facebook and Twitter through the companies' bug bounty programs for reporting such security flaws.
Updated on Feb. 22 at 1:14 IST: Updated to include comments from Facebook and Tinder.
