If you’ve ever registered for an app by choosing to do it through Facebook, you’ve probably come into contact with the social media giant’s Account Kit, a Facebook product that lets users quickly register and log into apps using either an email address or a phone number—no password needed.
Well, turns out there was a vulnerability in Account Kit that made it possible for an attacker (or in this case an ethical bug bounty hunter) to gain access to a person’s Tinder account—including profile information, photos, direct messages, etc—and the exploit only required one piece of very easy to get personally identifiable information: a phone number.
The exploit was detailed by bug hunter Anand Prakash on Medium, including step-by-step directions that showed how an attacker with only a phone number could compromise access tokens by sifting through a user’s cookies.
Prakash was careful to point out that the vulnerability had been fixed.
Read more here.
