

Hacking Tinder for Fun and Profit - ydesouza
http://www.ydesouza.com/tinder

======
dx4100
Or just use this handy node package. I used it to auto like 22,000 people in
LA, and went on dates for 9 days in a row. Let's just say I'm a bit exhausted.

[https://www.npmjs.org/package/tinderbot](https://www.npmjs.org/package/tinderbot)

Edit: My tinder bot:
[https://github.com/deftx/loltinder](https://github.com/deftx/loltinder)

~~~
kilroy123
Thank you very much for this. 22k in LA? Wow. Looks like there are only about
~3-5k in Portland, OR.

------
crazypyro
I've been looking into packet tracing some mobile games that operate entirely
online. I'm sure the mobile space is packed to the brim with unrestricted
APIs... Thanks for the motivation/tips.

~~~
robterrell
I don't think it's an "unrestricted" API if it uses https and you have to
intercept and extract an auth token from a valid session. But I get what you
mean -- it is fun to look under the covers and see how the big companies do
things.

~~~
crazypyro
Yeah, I agree. MITM attacking your own auth token is not a great example of an
"unrestricted" API. I'm thinking more POST requests to games where you can
edit resources, change high score, etc. The kind of stuff you used to see all
the time on web games, before popularity increased to the point where the
developers had to take care of it.

I'd just imagine developers are a lot less wary about security holes because
they assume that their client is "just" a smartphone and not a rooted packet
sniffer.

------
cheepin
You can combine with an Android emulator (to spoof GPS location), and a fake
facebook to be literally anybody, anywhere, and see who likes you. While it's
certainly not the intended use of the app, A/B testing your appearance to
different regions is not out of the question.

~~~
dx4100
You can also send your GPS location through the API.

------
oftheloop
A buddy of mine did almost exactly the same thing a few months back. Here is a
link to that [http://blog.venkatesh.ca/automating-
tinder/](http://blog.venkatesh.ca/automating-tinder/)

------
denwer
Here is a cached version since the response time seems quite high to me:
[http://webcache.googleusercontent.com/search?q=cache:EqfLajb...](http://webcache.googleusercontent.com/search?q=cache:EqfLajb3USMJ:www.ydesouza.com/tinder+)

------
fernandotakai
Is it possible to mitigate this kind of thing by using certificate pinning?

~~~
eropple
How would that help? The _client_ doesn't need to trust anything from the
server, just firehose likes back at it.

Even if you were for some reason using client certificates, you'd just have to
rip apart the Tinder APK to get the cert and you're done.

~~~
cmartin123
By pinning the cert, the inspection of the protocol wouldn't have been
possible the first place, since the app would reject fiddler's SSL cert. The
tinder APK would only contain the information needed to verify the cert, not
generate a valid one. If this wasn't the case, SSL would be useless.

~~~
tekromancr
Then you crack the app and bypass the auth check. App continues to talk to
server, you continue to document the api. Or hook a debugger into the app and
watch what network calls it makes. The only real solution would be to do
sanity checks on the server.

