Cyber criminals can expose vulnerabilities in some of the world’s most popular dating apps, such as Tinder, Badoo and Bumble to read user’s messages and see which profiles they have viewed.
At best, the exploits could cause major embarrassment for users but at worst, it could lead to users of the apps having their privacy compromised by being identified, located or even blackmailed.
Security researchers from Kaspersky discovered the shortcomings in the iOS and Android versions of Badoo, Tinder, WeChat, Happn, Bumble, OKCupid, Paktor, Mamba and Zoosk.
The researchers claimed it was “fairly easy” to find the real name of users from studying the information they added to their bio. This was because many of the apps all users to add information about their education or job.
Other apps such Tinder also allow users to link their profile to their Instagram account, making it even easier to a hacker to find out the name of a user.
By tracking someone down on social media it opens up the possibility for hackers to find out much more information about someone and by using social engineering could increase the chance of them being the victim of a phishing or ransomware attack.
“Some apps only allow users with premium (paid) accounts to send messages, while others prevent men from starting a conversation. These restrictions don’t usually apply on social media, and anyone can write to whomever they like,” researchers wrote in a blog post.
Kaspersky researchers also warned that a number of dating apps including Tinder, WeChat, Mamba and Zoosk were particularly susceptible to allowing someone workout the location of a user.
All of those dating apps tell a user how far away another user is. And while the do not reveal exact locations, it didn’t take long for the researchers to uncover them.
“Even though the application doesn’t show in which direction, the location can be learned by moving around the victim and recording data about the distance to them,” researchers said.
“This method is quite laborious, though the services themselves simplify the task: an attacker can remain in one place, while feeding fake coordinates to a service, each time receiving data about the distance to the profile owner.”
Most concerning of all was the fact that researchers were able to access the private messages of users and find out which profiles they had viewed. Some could even take over personal accounts on the dating apps.
They did this by intercepting data from the apps and hijacking authentication codes, mainly from when users had connected the dating profile with their Facebook account.
“Using the generated Facebook token, you can get temporary authorization in the dating application, gaining full access to the account,” researchers claimed.
“In the case of Mamba, we even managed to get a password and login – they can be easily decrypted using a key stored in the app itself.
“Most of the apps in our study (Tinder, Bumble, OK Cupid, Badoo, Happn and Paktor) store the message history in the same folder as the token. As a result, once the attacker has obtained superuser rights, they will have access to correspondence.
“In addition, almost all the apps store photos of other users in the smartphone’s memory. This is because apps use standard methods to open web pages: the system caches photos that can be opened. With access to the cache folder, you can find out which profiles the user has viewed.”
Kaspersky researchers say users can protect themselves by not adding information such as where they work or study to their dating profile. Also only access the apps using a secure network and preferably with a VPN.