Tinder has been breached. According to a report released by the app security company Checkmarx on Tuesday, vulnerabilities in Tinder’s encryption can allow hackers to spy on active Tinder accounts.
Simply by connecting to the same wifi network, Tinder spies can tap into a Tinder user’s photo stream. This is possible because Tinder doesn’t use HTTPS encryption when pushing photos (contained in information “packets”) to the app. Using a program called a “packet sniffer,” hackers can download any packet sent on the same wifi network, and if it’s unencrypted, they can examine the contents.
Because these pictures are technically already available for public viewing, snoopers don’t glean any private information; still, it’s distinctly creepy what they can see in terms of your interaction with them.
Although Tinder does use HTTPS encryption for actions like swiping, Checkmarx researchers found a way around that, too. When you swipe on the app, your phone sends information to your wifi network that corresponds with that action, again in a packet. Because swipes are encrypted, someone examining that information shouldn’t be able to understand what it means. But Tinder swipes only come in three varieties: left swipe, right swipe, and super like. The way the encryption is set up, every time you swipe left, the packet will be the same size. Because each swipe is associated with a distinct packet size that doesn’t change, an onlooker can effectively see what you’re doing by examining the size of the packet, rather than the information inside the packet. With the right tools, it’s as if someone is just looking at your screen.
What’s truly alarming is that hackers could insert their own pictures into a user’s photo stream by intercepting the unencrypted traffic, according to Checkmarx.
It’s easy to imagine the potential consequences. Unsolicited dick pics would be the tip of the iceberg; advertisements, threats, and Tide Pod memes could all infiltrate your app.
Apart from being downright embarrassing, Checkmarx says the vulnerability could be used to blackmail or otherwise expose users’ Tinder habits. Checkmarx says they notified Tinder of the vulnerability in November, but they have yet to fix it.
In a statement to Inverse, a Tinder spokesperson said, “We are working towards encrypting images on our app experience as well. However, we do not go into any further detail on the specific security tools we use, or enhancements we may implement to avoid tipping off would be hackers.”
Until Tinder comes up with a solution, the easiest way to defend yourself against digital onlookers is simple: don’t swipe in public.