Hacker News new | past | comments | ask | show | jobs | submit login
Stalking your Facebook friends on Tinder (defaultnamehere.tumblr.com)
315 points by adamch on July 22, 2016 | hide | past | favorite | 102 comments

I love security posts like this. His previous one about facebook messenger status was also really nicely done.

He doesn't succumb to the temptation to be abusive (to either the people who made the thing he's testing, the people reading, or anyone who might be impacted by it), which is something a lot of security researchers seem to find impossible to avoid; there's a lot of calling people various forms of stupid in many incident reports. Even when given ample opportunity by the Tinder folks to call them names, he didn't do so (and, didn't blow it out of proportion, either...it's problematic, but if you're using Facebook and Tinder, you probably are already aware you're giving up a lot of privacy; this is a big deal, but not vastly bigger than using facebook all by itself).

He explains clearly what he did, and what tools he used to do it, which is another thing that often gets left out. Many security folks follow the magician's code ("never show'em how it's done"), and are dismissive that mere mortals could ever understand what they do.

And, he tells a good story in the process. All around, top notch technical writing about a usually boring subject.

The overall technical outline of the issue and what he did to figure it out are clear — and certainly interesting — but I am having a hard time reading the blog post. This writing style is exhausting to me. Instead of reading normally I find myself skipping more and more text to get to the bits that aren't silly jokes and internet slang. A shame, because it hides the technical insights he has.

At least he's not inserting meme-pictures every other paragraph, which seems to be thing now even in otherwise well-written material.

I guess it could be more concise, but I rather enjoyed the humor. It's not an area I'm passionate about, even though it is important, so having it interlaced with jokes (silly though they may be) was a net win for me.

Agreed, I find the actual content interesting but I probably skipped 90% of the written text.

Edgiest security blog post ever.

You haven't mastered the art of internet reading? I.e. aggressive skimming combined with ctrl/cmd-f to get to the meat and potatoes?

Indeed. It would be even better if it were translated into English from whatever hybrid internet-speak language this is.

seems to be a derivative of the cracked.com language

It's a surprise that Tinder launched Tinder Social just now in the US given that's the main source of the leaked data. Tinder Social was (and remains) opt-out in Australia while he was writing the article. Even if Tinder Social is now opt-in in the US, the fact they were dismissive of the vulnerability disclosure is concerning.

Any social network with deteriorating privacy is bad. One where the content can potentially be sensitive is even worse. If you started on a service and it kept becoming more private by default, that's fine - potentially annoying, but fine. If you start on a service and it kept becoming more public by default, then we have a problem.

The fact that Tinder don't realize Tinder profiles may contain sensitive information for a significant portion of their user base is hugely disturbing. As stated in the article, there are so many circumstances beyond cheating that this is still an issue.

Assume for a fictional argument that I was born into a religious family, "no sex before marriage" type of thing, but enjoyed one night stands. One might use Tinder to do so quietly. Tinder didn't allow your friends to see that information before - I assumed I was safe from judgement by my family and their friends. Then Tinder rips that privacy you thought you had away!

Saying that users should have known better is not an excuse. As developers we must operate under the assumption that best practices are likely going to be missed or misunderstood. Tinder violated that in an extreme way in an attempted land grab for a large social market beyond hook-ups and dating.

Disclosure: I'm friends with the author and commented on drafts.

> I assumed I was safe from judgement by my family and their friends. Then Tinder rips that privacy you thought you had away!

Why would you think your profile is "secret" in any way to begin with? It is literally an app that shows you others using it NEARBY yourself. And a highly popular one at that.

The profiles are also public and there is no indication to them being private as far as I've ever read about the app.

One could say that there is an expectation that only other tinder users will discover you. Kinda like going to a bar or a strip club, which are activities that your community may disapprove of. Thus, you only encounter members outside of your community, or community members who are cool with it.

To use the things in the blog post you still need a Tinder account.

A disapproving family member could still go to a bar or open an account to try to find you there. Which you should be aware of because they are both still publicly accessible spaces.

The difference being that they would have to search multiple bars at multiple times of day. Instead we have a large billboard saying "Steve is at this bar and is interested in these types of activity while he's there!".

Except you need to turn tinder social ON for that to be the case.

I guess it is like that in Australia though.

> If you start on a service and it kept becoming more public by default, then we have a problem.

If this isn't criminal, it should be. People belong in jail for this sort of thing.

Have you seen the (now quite ancient) animated evolution of default Facebook privacy settings[1]? It's insane.

It's for this reason that, by default, I assume essentially everything I do online is public. My username is my name, almost everything on Facebook is defaulted to public, etc.

If you live under the assumption that you're never private, you'll never make the mistake of thinking you are.

[1]: http://mattmckeon.com/facebook-privacy/

I spent about 30-45 minutes trying to get this to work out of the box. Not sure if It's because my Python is rusty or maybe my installs are screwy. Either way, In order to get this to work, I ended up curling the tinder API to get my token.

  curl -v -X POST 'https://api.gotinder.com/auth' -H 'Content-Type: application/json' --data '{"facebook_token": "facebook_token_string", "facebook_id": "facebook_id_string"}'
With that I modified the python code to no longer POST to get the X-Auth-Token and just pasted it in there:

        self.headers["X-Auth-Token"] = 'auth_token_string'
        print("Authenticated to Tinder ")
        self.authed = True
        print self.authed
After that, everything worked fine!

Amusing HN shout-out in the code [0]

> """Yeah it's really important to write extremely enterprise well-documented hacky API code. Hacker News will love it I swear."""

[0]: https://github.com/defaultnamehere/tinder-detective/blob/13b...

Can confirm the new Tinder Social feature is opt in, with reasonable warning: https://imgur.com/ie8IgSZ

Feature can be disabled at any time.

The feature will also opt-in (on android at least) via a notification, with no confirmation upon opening the notification. Thanks, anti-privacy patterns!

On iOS I opened via the push notification and got taken to the opt-in screen so possibly a bug with their Android app rather than something malicious.

Opt-in in America, Opt-out in Australia.

I hope so, that would be a step in the right direction!

Has anyone in America tried out https://github.com/defaultnamehere/tinder-detective to see if the API still works in the US without having to opt in?

But not opt-in for the friends of those who have already opted in.

Connection count is just how many friends they have, not how many swipes.

There's nothing new to discover with this 'hack', seeing your friends' tinder profiles is what tinder social does.

For some reason I read through the commits in the Github repo. Wasn't disappointed.

Can't get it to work ... where do I get my facebook user id and token from?

Do I have to create an App featuring access to my friend list for that?

As stated in both the repository and the blog post (a couple times, actually), you need to intercept the Tinder traffic after you've created a profile.

You can also check the Issues section, where other users have posted instructions on how to easily find the id and key with just your web browser.

What format do the id and keys in secrets.json need to be in?

That's kind of scary that you can get that information just by (if I read this right) having the user ID of someone you "matched" with. This feels like it could lead to all sorts of weird stalking or something if a first-date went badly.

On an unrelated note, I liked the way that the post was written. It made reading the details more interesting (but then again, I'm one of those young whippersnappers, so maybe I'm just more prone to liking that sort of thing).

> That's kind of scary that you can get that information just by (if I read this right) having the user ID of someone you "matched" with.

Not quite... the API returns the Tinder user ID of all your Facebook friends that use Tinder. You can see who uses it, when they last used it, what picture they use there, etc.

You can also "swipe right" or "swipe left" using the API on anyone you have the Tinder user ID of, even if Tinder never matched them with you.

So it's scary in a "creep on your friends" way not in a "creep on strangers" way.

> You can also "swipe right" or "swipe left" using the API on anyone you have the Tinder user ID of, even if Tinder never matched them with you.

So you're saying I can brute-force iterate through the entire Tinder userbase and swipe right on everyone automatically?

Finally! The feature we've all been waiting for!

(More than a little sarcasm here.)

> having the user ID of someone you "matched" with

Most of the information was already available to someone you matched with (that's the whole point of matching), barring the 'last logged in' value. The real concern is that you can get the user id of any of your facebook friends, exposing information that was previously hidden unless you did match. Matching relies on two-party consent, this violates that for a subset of users.

Unless I'm missing something, the information displayed is shown for every Tinder user you see on the app before and after you are matched. There is no additional data leaked.

What it does do is allow you to quickly find your Facebook friends quickly among the thousands of Tinder users in your area. You can find them anyway with enough swiping.

I'm getting a 401 error when I do curl https://api.gotinder.com/user/52b....000f9b

And I grabbed the user_id from the groups json "user_id" var

I also made the request from the browser on my phone.. same thing.

Do I need to add some tinder oauth credential to the curl request?

ever figure it out?

What is the format for the SECRETS.json file since it needs to include both the auth token and the facebook id?

f = open(SECRETS.json) self.fb_auth = json.load(f)

So does it matter what I name the auth parameters or just that I set the values correctly?


{ "auth_token" : "TOKENVAL", "fb_id" : "IDVAL" }

As cfreeman commented to markwaldron in another comment - See here: https://gist.github.com/rtt/10403467#authenticating

Wouldn't this require you to have specifically opted-in to "Tinder Social"?

Nope, you have to opt-out of Tinder Social to make it NOT happen to you.

Looks opt-in to me.

Ah, I was talking about in Australia. Turns out Tinder Social launched in the US today. What a coincidence!

Anyone getting unicode errors even after removing all of the emojis from the source?

Use python 3

This helped me. Also use pip3 instead of pip.

Commenting out the print(response.text) on line 79 of api.py should bypass the issue (or at least did so for me).

In you tinder profile you can see which friends tinder will show as common friends. This is a subset of your Facebook friends and I've always assumed these you Facebook friends who are on tinder.

Just FYI, doesn't work in Asia, maybe because there's no Tinder Social yet.

In Philippines currently. Can confirm Tinder Social prompt has appeared for me.

This blogpost is so hilariously written. Props to the author.

Holy direct object reference vulnerability batman!

how do you build this in OSX? Apple's python situation is out of control

Use pyenv (https://github.com/yyuu/pyenv). If you want it easier, there is an installer at https://github.com/yyuu/pyenv-installer.

Install Linux in it.

  virtualenv venv --python=python3.5
  source venv/bin/activate
  pip install -r requirements.txt

first line isn't working for me

virtualenv venv --python=python3.5 Running virtualenv with interpreter /usr/local/bin/python3.5 Using base prefix '/Library/Frameworks/Python.framework/Versions/3.5' New python executable in venv/bin/python3.5 Also creating executable in venv/bin/python Failed to import the site module Traceback (most recent call last): File "/Users/ericlw/Development/tinder-detective/venv/bin/../lib/python3.5/site.py", line 67, in <module> import os File "/Users/ericlw/Development/tinder-detective/venv/bin/../lib/python3.5/os.py", line 708, in <module> from _collections_abc import MutableMapping ImportError: No module named '_collections_abc' ERROR: The executable venv/bin/python3.5 is not functioning ERROR: It thinks sys.prefix is '/Users/ericlw/Development/tinder-detective' (should be '/Users/ericlw/Development/tinder-detective/venv') ERROR: virtualenv is not compatible with this system or executable

ugh none of this python 3 stuff works right

  brew install python3.5

I got it working, have to use python3 for all of the python commands.

use pip3 python3 and install datetime with pip3 install datetime

'gender’: 1, // 1 is female, 0 is male. C’mon Tinder that’s not how gender works

C'mon Tinder.

It's a float value.

The funny part is that you're getting downvoted when it's actually defined as a float.

Like, you weren't kidding. They honestly made it a float. What.

"Gender fluid"

Facebook supports a third gender

But that could be represented with an int, right? Why float?

Needs to be complex, apparently.

Only one axis? How discriminatory. :P

Please don't Reddit-ify HackerNews.

I feel the same way. As time has gone on, it's tending to be more and more reddit-y

"Infinite deminsional gender space"

Nah, it's a string.

Are there more than two genders now?

Yes, and I'm not sure why he's getting downvoted. This is a legitimate Facebook feature.

Gender can be either Male, Female, or Custom, and Facebook gives you the option to choose which gender pronouns you prefer. Thus, to see it represented as a boolean is unusual. I'm curious as to what the value of that field is when a user has chosen Facebook's custom gender display options.

'Custom' wouldn't work in Tinder. They should have at least a third option but considering they show matches based on a gender preference having dozens of gender options will make the app quite useless as you'll be spreading people who would be interested in each other but use different terms to describe their gender into a wide variety of groups.

I am sticking with the biological definition.

There are more than two options in conservative biology as well. [1]

[1] https://en.wikipedia.org/wiki/Hermaphrodite

The very first sentence of your link says "both male and female". In nature they have the ability to act as both male or female.

Are you claiming that it's equal to either only male, or only female? If not, then how exactly would you provide the information that an organism is both with a single required bit, where 0 is defined as female, and 1 as male?

The biological definition is not real. Binary genders are a trend, not a certainty in nature.

I was attracted to hard sciences because the subjectivity of things like psychology turned me off. Statements like yours make me concerned that liberal arts departments are going to try to make science fit their narrative. The roles of male and female is one of the most universally common behaviors across specifies. If I grew a vagina and had a baby it doesn't make me a different gender. It means I took on some of the attributes of a human female. At that point I wouldn't consider myself male or female. But I certainly wouldn't try to make up a 3rd gender for my unique situation.

That's a very positivist approach, and I hope the liberal arts continue to erode such binary based thinking in the sciences as I believe that philosophy makes better scientists. . And so what if you "made up" another gender? Gender is socially constructed and is not a real, concrete construct. I'm sorry that considering concepts and people as unable to be hyper taxonomized by artificial constraints is inconvenient to you and more valuable than treating the identities of others with respect.

There is a difference between binary based thinking and thinking about binary.

Very good point, but in nature a binary of sexes is not absolute. You are applying the artificial gender binary to sexes, which in nature are often messy and unclear. This can range from species that change sex organs as they mature, take on different reproductive roles dependent on situations, and even manifests in a statistically significant amount of humans born with both sets of reproductive organs. Assuming two sexes, then going on to conflate that with gender, demonstrates only an elementary understanding of reproductive biology.

But are there more than two biological genders? Or are we just talking about "my special identity" genders?

I think its more about the shape.

> Are there more than two genders now?

That question needs unpacked further:

(1) Are there more than two gender identities? Yes.

(2) Are there more than two socially ascribed genders? Yes, given that (1) has achieved a significant degree of acceptance, as has aligning ascribed gender with identity.

(3) Are there more than two grammatical genders? Depends on the language.

(4) Are there more than two arrangements of sex-related biological traits? Yes

(5) Are there more than two of any of the items in #1, #2, or #4 on which people might preferences that would be relevant in a dating app? Probably.

yes, as there always has been in the grammar of English and many other languages.

The commenter your responding to is most likely using "gender" to refer to the concept you would describe as "sex". That is, the biological characteristic of being male or female rather than a grammatical concept.

Sex isn't binary either.

In the vast majority of cases it is.

A trait either is binary or is not (being binary is, itself, binary.) A trait that the vast majority of the time takes on one of two values, but other times takes on other values, is not binary.


Even if that was the exact set of possible values, that's not binary (though I suppose if someone overexposed to SQL might mistake it for a being binary...)

No, I would definitely agree that male is negative and female is positive. Unless there's a race condition.

No worries, Tinder doesn't ask for your race.

It's all the same on the inside anyway.

My gender is 88

How can I tell if I've even been opted in? Bastards. I'm a paying customer and they pull this crap.

>> "How can I tell if I've even been opted in?"

It's OPT-IN - you can tell because you would have said 'opt me in to Tinder Social'. Also, if you can remember, swipe to your profile screen. If you have opted in it has it in huge writing.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact