Recent Tinder Vulnerability!

in #blog7 years ago

The attack

Recently a Tel-Aviv based security firm: Checkmarx, discovered a vulnerability in the popular app Tinder. The vulnerability affects both andorid and IOS phones. It requires the attacker and the target to be on the same network. When this condition is met an attacker can spy on the images the target is currently viewing, because images are sent over HTTP.
The team went futher than that and made a PoC application (tinder drift named after the popular image sniffing tool driftnet) that can display the image of the people the target sees and it's action too (accept/decline). Even the accept/decline data sent over secure HTTPS can be determined. This is done by looking at the packet size of the server's response for accept and decline. The researchers found out, that swiping left (reject), the server sends about 278 bytes of data, swiping right (accept) sends 374 bytes of data and a match is around 581 bytes. Combining these two attacks, an attacker is able to get which people the target rejected and accepted..... Pretty scary.
Since the images are sent over HTTP they can not only be intercepted, but changed too! For example they can just display ads or an image of another people baiting you into accepting the real people. This can cause huge disasters.

How can they correct it?

Don't use HTTP

First of all using HTTP in 2018, when we have things like Let's Encrypt is unacceptable. Loading images over HTTPS already solves most of the problems.

About the packet size attack

You can't really do anything about this, that would not affect performance or data usage. Basically adding random data to the packets until they are the same size each can solve the problem, but generate more traffic. But this is not the most scray attack without the image sending vulnerability.

How to protect yourself

No Public WiFi

Make sure you don't connect to public WiFi, anybody can sit there and execute this attack.

If you do use Public WiFi

A VPN can solve this problem, because it encrypts the packets no matter what between you and the VPN server. So anybody on the network can only see you sending data to your VPN server.

Summary

This is another example why nobody should use HTTP anymore, because it's the age of data and information. Encryption is key to secure our data. HTTPS not only prevents attackers from looking at the data but also verifies that nobody edited the traffic. By the time of writing this i haven't found anything suggesting that Tinder is working on the problem.
Anyway, just be sure you don't connect to public WiFi an you'll be ok!

Sources

Wired's post on the vulnerability
The original post of the research team
PoC Video on the attack

#hacking #tinder #vulnerability #encryption
7 years ago in #blog by
$0.00
    1 vote
    Reply 0
    Sort:  
  • Trending