
Stalking your Facebook friends on Tinder - adamch
https://defaultnamehere.tumblr.com/post/147747146865/stalking-your-facebook-friends-on-tinder#147747146865
======
SwellJoe
I love security posts like this. His previous one about facebook messenger
status was also really nicely done.

He doesn't succumb to the temptation to be abusive (to either the people who
made the thing he's testing, the people reading, or anyone who might be
impacted by it), which is something a lot of security researchers seem to find
impossible to avoid; there's a lot of calling people various forms of stupid
in many incident reports. Even when given ample opportunity by the Tinder
folks to call them names, he didn't do so (and, didn't blow it out of
proportion, either...it's problematic, but if you're using Facebook and
Tinder, you probably are already aware you're giving up a lot of privacy; this
is a big deal, but not _vastly_ bigger than using facebook all by itself).

He explains clearly what he did, and what tools he used to do it, which is
another thing that often gets left out. Many security folks follow the
magician's code ("never show'em how it's done"), and are dismissive that mere
mortals could ever understand what they do.

And, he tells a good story in the process. All around, top notch technical
writing about a usually boring subject.

~~~
Freak_NL
The overall technical outline of the issue and what he did to figure it out
are clear — and certainly interesting — but I am having a hard time reading
the blog post. This writing style is exhausting to me. Instead of reading
normally I find myself skipping more and more text to get to the bits that
aren't silly jokes and internet slang. A shame, because it hides the technical
insights he has.

At least he's not inserting meme-pictures every other paragraph, which seems
to be thing now even in otherwise well-written material.

~~~
SwellJoe
I guess it could be more concise, but I rather enjoyed the humor. It's not an
area I'm passionate about, even though it is important, so having it
interlaced with jokes (silly though they may be) was a net win for me.

------
Smerity
It's a surprise that Tinder launched Tinder Social just now in the US given
that's the main source of the leaked data. Tinder Social was (and remains)
opt-out in Australia while he was writing the article. Even if Tinder Social
is now opt-in in the US, the fact they were dismissive of the vulnerability
disclosure is concerning.

Any social network with deteriorating privacy is bad. One where the content
can potentially be sensitive is even worse. If you started on a service and it
kept becoming more private by default, that's fine - potentially annoying, but
fine. If you start on a service and it kept becoming more public by default,
then we have a problem.

The fact that Tinder don't realize Tinder profiles may contain sensitive
information for a significant portion of their user base is hugely disturbing.
As stated in the article, there are so many circumstances beyond cheating that
this is still an issue.

Assume for a fictional argument that I was born into a religious family, "no
sex before marriage" type of thing, but enjoyed one night stands. One might
use Tinder to do so quietly. Tinder didn't allow your friends to see that
information before - I assumed I was safe from judgement by my family and
their friends. Then Tinder rips that privacy you thought you had away!

Saying that users should have known better is not an excuse. As developers we
must operate under the assumption that best practices are likely going to be
missed or misunderstood. Tinder violated that in an extreme way in an
attempted land grab for a large social market beyond hook-ups and dating.

Disclosure: I'm friends with the author and commented on drafts.

~~~
wingerlang
> I assumed I was safe from judgement by my family and their friends. Then
> Tinder rips that privacy you thought you had away!

Why would you think your profile is "secret" in any way to begin with? It is
literally an app that shows you others using it NEARBY yourself. And a highly
popular one at that.

The profiles are also public and there is no indication to them being private
as far as I've ever read about the app.

~~~
AjithAntony
One could say that there is an expectation that only other tinder users will
discover you. Kinda like going to a bar or a strip club, which are activities
that your community may disapprove of. Thus, you only encounter members
outside of your community, or community members who are cool with it.

~~~
wingerlang
To use the things in the blog post you still need a Tinder account.

A disapproving family member could still go to a bar or open an account to try
to find you there. Which you should be aware of because they are both still
publicly accessible spaces.

~~~
sf_rob
The difference being that they would have to search multiple bars at multiple
times of day. Instead we have a large billboard saying "Steve is at this bar
and is interested in these types of activity while he's there!".

~~~
wingerlang
Except you need to turn tinder social ON for that to be the case.

I guess it is like that in Australia though.

------
markwaldron
I spent about 30-45 minutes trying to get this to work out of the box. Not
sure if It's because my Python is rusty or maybe my installs are screwy.
Either way, In order to get this to work, I ended up curling the tinder API to
get my token.

    
    
      curl -v -X POST 'https://api.gotinder.com/auth' -H 'Content-Type: application/json' --data '{"facebook_token": "facebook_token_string", "facebook_id": "facebook_id_string"}'
    

With that I modified the python code to no longer POST to get the X-Auth-Token
and just pasted it in there:

    
    
            self.headers["X-Auth-Token"] = 'auth_token_string'
            print("Authenticated to Tinder ")
            self.authed = True
            print self.authed
    

After that, everything worked fine!

------
spdustin
Amusing HN shout-out in the code [0]

> _" ""Yeah it's really important to write extremely enterprise well-
> documented hacky API code. Hacker News will love it I swear."""_

[0]: [https://github.com/defaultnamehere/tinder-
detective/blob/13b...](https://github.com/defaultnamehere/tinder-
detective/blob/13bf88d88c0b0f8ba5a28c11fc53a9feb5f641ec/api.py#L10)

------
minimaxir
Can confirm the new Tinder Social feature is opt in, with reasonable warning:
[https://imgur.com/ie8IgSZ](https://imgur.com/ie8IgSZ)

Feature can be disabled at any time.

~~~
vetrom
The feature will also opt-in (on android at least) via a notification, with no
confirmation upon opening the notification. Thanks, anti-privacy patterns!

~~~
k-mcgrady
On iOS I opened via the push notification and got taken to the opt-in screen
so possibly a bug with their Android app rather than something malicious.

------
colecut
Connection count is just how many friends they have, not how many swipes.

There's nothing new to discover with this 'hack', seeing your friends' tinder
profiles is what tinder social does.

------
haack
For some reason I read through the commits in the Github repo. Wasn't
disappointed.

------
blubb-fish
Can't get it to work ... where do I get my facebook user id and token from?

Do I have to create an App featuring access to my friend list for that?

~~~
pc86
As stated in both the repository and the blog post (a couple times, actually),
you need to intercept the Tinder traffic after you've created a profile.

~~~
squeaky-clean
You can also check the Issues section, where other users have posted
instructions on how to easily find the id and key with just your web browser.

------
markwaldron
What format do the id and keys in secrets.json need to be in?

~~~
cfreeman
See here:
[https://gist.github.com/rtt/10403467#authenticating](https://gist.github.com/rtt/10403467#authenticating)

------
mdadm
That's kind of scary that you can get that information just by (if I read this
right) having the user ID of someone you "matched" with. This feels like it
could lead to all sorts of weird stalking or something if a first-date went
badly.

On an unrelated note, I liked the way that the post was written. It made
reading the details more interesting (but then again, I'm one of those young
whippersnappers, so maybe I'm just more prone to liking that sort of thing).

~~~
rhubarbquid
> That's kind of scary that you can get that information just by (if I read
> this right) having the user ID of someone you "matched" with.

Not quite... the API returns the Tinder user ID of all your Facebook friends
that use Tinder. You can see who uses it, when they last used it, what picture
they use there, etc.

You can also "swipe right" or "swipe left" using the API on anyone you have
the Tinder user ID of, even if Tinder never matched them with you.

So it's scary in a "creep on your friends" way not in a "creep on strangers"
way.

~~~
derefr
> You can also "swipe right" or "swipe left" using the API on anyone you have
> the Tinder user ID of, even if Tinder never matched them with you.

So you're saying I can brute-force iterate through the entire Tinder userbase
and swipe right on everyone automatically?

Finally! The feature we've all been waiting for!

(More than a little sarcasm here.)

------
youngDogChick
I'm getting a 401 error when I do curl
[https://api.gotinder.com/user/52b....000f9b](https://api.gotinder.com/user/52b....000f9b)

And I grabbed the user_id from the groups json "user_id" var

I also made the request from the browser on my phone.. same thing.

Do I need to add some tinder oauth credential to the curl request?

~~~
seanopedia
ever figure it out?

------
robin_hood_jr
What is the format for the SECRETS.json file since it needs to include both
the auth token and the facebook id?

f = open(SECRETS.json) self.fb_auth = json.load(f)

So does it matter what I name the auth parameters or just that I set the
values correctly?

i.e:

{ "auth_token" : "TOKENVAL", "fb_id" : "IDVAL" }

~~~
ersii
As cfreeman commented to markwaldron in another comment - See here:
[https://gist.github.com/rtt/10403467#authenticating](https://gist.github.com/rtt/10403467#authenticating)

------
trombone
Wouldn't this require you to have specifically opted-in to "Tinder Social"?

~~~
defaultnamehere
Nope, you have to opt-out of Tinder Social to make it NOT happen to you.

~~~
trombone
Looks opt-in to me.

~~~
defaultnamehere
Ah, I was talking about in Australia. Turns out Tinder Social launched in the
US today. What a coincidence!

------
Xeronate
Anyone getting unicode errors even after removing all of the emojis from the
source?

~~~
pfista
Use python 3

~~~
gaza3g
This helped me. Also use pip3 instead of pip.

------
wodenokoto
In you tinder profile you can see which friends tinder will show as common
friends. This is a subset of your Facebook friends and I've always assumed
these you Facebook friends who are on tinder.

------
wiradikusuma
Just FYI, doesn't work in Asia, maybe because there's no Tinder Social yet.

~~~
0xADEADBEE
In Philippines currently. Can confirm Tinder Social prompt has appeared for
me.

------
gnahckire
This blogpost is so hilariously written. Props to the author.

------
foota
Holy direct object reference vulnerability batman!

------
cloudjacker
how do you build this in OSX? Apple's python situation is out of control

~~~
spiznnx

      virtualenv venv --python=python3.5
      source venv/bin/activate
      pip install -r requirements.txt

~~~
cloudjacker
first line isn't working for me

virtualenv venv --python=python3.5 Running virtualenv with interpreter
/usr/local/bin/python3.5 Using base prefix
'/Library/Frameworks/Python.framework/Versions/3.5' New python executable in
venv/bin/python3.5 Also creating executable in venv/bin/python Failed to
import the site module Traceback (most recent call last): File
"/Users/ericlw/Development/tinder-
detective/venv/bin/../lib/python3.5/site.py", line 67, in <module> import os
File "/Users/ericlw/Development/tinder-
detective/venv/bin/../lib/python3.5/os.py", line 708, in <module> from
_collections_abc import MutableMapping ImportError: No module named
'_collections_abc' ERROR: The executable venv/bin/python3.5 is not functioning
ERROR: It thinks sys.prefix is '/Users/ericlw/Development/tinder-detective'
(should be '/Users/ericlw/Development/tinder-detective/venv') ERROR:
virtualenv is not compatible with this system or executable

ugh none of this python 3 stuff works right

~~~
marodox

      brew install python3.5

------
defaultnamehere
'gender’: 1, // 1 is female, 0 is male. C’mon Tinder that’s not how gender
works

C'mon Tinder.

~~~
mrits
Are there more than two genders now?

~~~
zeta0134
Yes, and I'm not sure why he's getting downvoted. This is a legitimate
Facebook feature.

Gender can be either Male, Female, or Custom, and Facebook gives you the
option to choose which gender pronouns you prefer. Thus, to see it represented
as a boolean is unusual. I'm curious as to what the value of that field is
when a user has chosen Facebook's custom gender display options.

~~~
collyw
I am sticking with the biological definition.

~~~
Strom
There are more than two options in conservative biology as well. [1]

[1]
[https://en.wikipedia.org/wiki/Hermaphrodite](https://en.wikipedia.org/wiki/Hermaphrodite)

~~~
mrits
The very first sentence of your link says "both male and female". In nature
they have the ability to act as both male or female.

~~~
Strom
Are you claiming that it's equal to either only male, or only female? If not,
then how exactly would you provide the information that an organism is both
with a single required bit, where 0 is defined as female, and 1 as male?

------
redwood
How can I tell if I've even been opted in? Bastards. I'm a paying customer and
they pull this crap.

~~~
k-mcgrady
>> "How can I tell if I've even been opted in?"

It's OPT-IN - you can tell because you would have said 'opt me in to Tinder
Social'. Also, if you can remember, swipe to your profile screen. If you have
opted in it has it in huge writing.

