
Tinder's lack of encryption allows spying - brysonm
https://nakedsecurity.sophos.com/2018/01/24/tinder-user-lack-of-encryption-means-stalkers-can-watch-you-at-it/
======
zethraeus
The most surprising thing about this to me is how long it took to have a new
cycle about it.

Firesheep was a 2010 invention. Once that happened, _anyone_ could chill in a
coffeeshop and watch the http traffic whizz by.

... as much as we want to excoriate Tinder, it's been reasonable for most of
their users to have 'i dgaf' as their threat model.

~~~
lucideer
> _... as much as we want to excoriate Tinder, it 's been reasonable for most
> of their users to have 'i dgaf' as their threat model._

This presumes users are aware of whether an app's traffic is encrypted or not.
It's interesting how much thought goes into the UX of browser address bar
security indicators, while everyone happily uses apps with no visual
indicators of network connection security of any kind.

~~~
noobermin
Or whether users know what encryption really means or not.

Users don't chose between apps based on a laundry list of features like
security consciousness of the developers. They know tinder is where you get
dates and they download and use that.

~~~
lucideer
Most users, yes. But even those who do care, and know a little about it, don't
necessarily have any obvious path to verify which apps do/don't encrypt their
traffic.

I'm a mobile app developer, and if I were downloading Tinder I am actually
naïve enough that I would have presumed its network traffic would be. It just
seems so matter of course to me that network requests written into any app
being developed would just use HTTPS.

------
abtom
Someone already released an app making use of this exploit.

[http://www.dailymail.co.uk/video/sciencetech/video-1614014/V...](http://www.dailymail.co.uk/video/sciencetech/video-1614014/Video-
Tinder-Drift-demo-shows-no-encryption-means-swipes-not-secret.html)

~~~
BHSPitMonkey
Good. These kinds of things need to happen and be well-known in order for
companies like Tinder to get their act together.

------
inlined
I remember this issue with S3 files and being unable to configure certificate
correctly. What's the correct steps to get that to work?

Also, clever find that there's a side channel on left vs right swipe. What
caused these payload differences?

~~~
makmanalp
I think unless you want to use your own custom DNS, you don't even need to set
up certificates, *.amazonaws.com has HTTPS already, with amazon certs. If you
want SSL on your own DNS, I think you're forced to use cloudfront - perhaps
they didn't want to pay for that :|

~~~
ComputerGuru
CloudFront is cheaper than S3. S3 is for storage, CloudFront is for
distribution.

~~~
makmanalp
Right, I think you would need to put cloudfront in front of s3 in this case,
which is what makes it more expensive.

~~~
ComputerGuru
I’m sorry, I don’t understand. S3 storage is cheap, bandwidth is expensive. CF
is free storage for in-cache items, refreshed from the S3 backend when
expired, serving that bandwidth. You can’t lose money as compared to a pure S3
setup.

~~~
makmanalp
Hmm, well it seems S3 to CF bandwidth is free (didn't realize this), and
bandwidth from CF to internet vs S3 to internet is approximately the same
(also surprising to me). So it costs approximately the same.

------
phoneboy
The next thing you should look at is who they send your personal data to and
what data they send. There was rumors a year ago that they sent personal data
to known advertiser IPs.

~~~
noobermin
Does tinder have ads? How do they monetize their service?

~~~
phoneboy
You link it with your facebook id, anything you share in addition about your
personal preferences is always of great interest.

------
joshumax
Funny, I remember setting up a mitm proxy on a Raspberry Pi for Tinder when I
was designing an interactive display of my tinder likes and dislikes. Even
used the content-length trick to bypass installing a custom root cert on my
phone to decrypt swipe status. Didn't think about the security implications
about it at the time but in hindsight it was terrible security practice.

------
tw1010
So where is the github link that let's us play with this?

~~~
termhn
Why would they make a github repo with this exploit for a seemingly not-fixed
bug? If you're a security researcher it shouldn't be that hard for you to
replicate it, and if you're not, there's no reason for you to have access to
an app that lets you easily MITM someone's tinder results.

~~~
f2n
Because if shit like this gets magically patched and no one gets hurt, most
people will continue to not care and groups like Tindr can continue to be lazy
and do shit like this.

------
throwaway_45
I understand this might be a security issue, and I guess Checkmarx gets their
name out. You can tell if someone swipped left or right on someone. However
how is this information useful for someone?

~~~
arbitrage
The article says that it looks like profile images can be downloaded
insecurely. So now you can snoop on what people are looking at. And liking.
Opportunities for blackmail, doxxing, griefing, etc., abound.

Also, attacks don't have to exist in a vacuum. As part of a larger suite of
attacks, it appears to be a useful tool that can help build up a profile of
somebody.

The answer when it comes to hacking is almost never "why". Rather, it's
usually "why not".

~~~
zethraeus
disclaimer: let's have https everywhere and all that.

That said, you've described the 'why not'. All of the attacks you've
identified are targeted and require significant investment. This opening
doesn't allow for economically profitable mass-collection and exploitation
(like say, grabbing credit cards or hacking into email accounts).

~~~
dullgiulio
That's a bad line of thinking. Privacy doesn't work this way: there are a lot
of things that you do every day and keep private even though they cannot
easily be exploited. It's human nature.

------
Theodores
The guy spying on your Tinder searches in Starbucks is kind of late to the
party. Presumably you have paid for Tinder somehow and therefore Paypal or
your other payment provider have sold that data point to advertisers already,
perhaps Facebook have bought that too.

Then Tinder is owned by the same company that owns all of the other dating
websites, so there is a whole tier of people there that have your data.

Then there are the adverts - I assume Tinder has them or could have them - so
again you have another 27 trackers on the advertising side of things.

Of course there is nothing cloak and dagger about this, the T+C's explain it
all and a click on an agree button has been made along the way.

Luckily we have too much data to deal with and whatever weird clumsy stuff
said in messaging won't haunt you for life, e.g. adverts for some alternative
lifestyle won't haunt you in the day job.

I have heard that 'dick pics' are a problem with dating, guys don't seem to
get the message. However, if they had a box in the agreement that said 'all
dick pics and naked chest shots in front of cars will be shared with your
bank, Facebook, advertisers and third party marketing randoms' then that might
change things a bit.

